I'm trying to extract timestamp exactly from the CSV for each event, but doesnt happen. It show only indexed time in the search head results. Anything I'm doing here wrong ? Props.conf [websense:cg...
See more...
I'm trying to extract timestamp exactly from the CSV for each event, but doesnt happen. It show only indexed time in the search head results. Anything I'm doing here wrong ? Props.conf [websense:cg:kv] TIME_PREFIX ="(.*?1)","(.*?)" TIME_FORMAT=[%d/%m/%y %H:%M:%S] TRANSFORMS-eliminate_header = eliminate_header INDEXED_EXTRACTIONS = CSV FIELD_DELIMITER = , TIMESTAMP_FIELDS = Date,Time HEADER_FIELD_LINE_NUMBER = 1 Transforms.conf [eliminate_header] REGEX = "Date"|"Time"|"Action"|"Category Name"|"Localized Country"|"Policy Name" DEST_KEY = queue FORMAT = nullQueue Sample event: "16/02/2021","07:19:41","Allowed","Collaboration - Office","None","##DEFAULT_Policy","abc@ff.com","eer-ltp-55dd8","live.com","None","None","pptsgs.officeapps.live.com:443/","None","None","34.98.220.117","United States","52.109.124.129","United States","10.212.168.62","None","None","None","None","None","Unknown","Unknown","594","17711","18305.0","Endpoint (Proxy Connect)","Static Classification","None","443","None","Connect"