the default value is "item.timestamp", this send splunk the timestamp of the cloudwatch log, and not the eventTime. i have tried replacing it with "parsed.eventTime" "payload.eventTime" etc, all result in failure to send logs. what is the correct object to get eventTime as the logtime
... View more
thank you for the response. i have tried several variations of what you have provided and it always provides zero results. i can get results with independent searches but as soon as i do a join i get nothing. im thinking it has something to do with the time differential. the IPS event happened 15 minutes ago, but the dhcp request was logged 4 hours ago?
... View more