Hey, Iv'e noticed some wierd behviour that is making me suspect the relaibility of my queries so I'm really looking for an explanation, I was making some searches and displaying them on a timechart, for some reason the timechart looks completly different when I sort the fields befor. this is the basic search and it's results:     |tstats count WHERE case=test responseCode=200 requestStatus!=legal by clientIp _time span=1h| timechart sum(count) span=1h     After sorting clientIp field this is how the graph looks like:     |tstats count WHERE case=test responseCode=200 requestStatus!=legal by clientIp _time span=1h| sort -clientIp |timechart sum(count) span=1h         |tstats count WHERE case=test responseCode=200 requestStatus!=legal by clientIp _time span=1h| sort +clientIp |timechart sum(count) span=1h     Note that the count is decreased on the sorted search.     What can explain that behaviour? Which chart should I relay on? Is that a feature of sorting? Thanks   ... View more

Hey, It has been several days that I'm trying to solve the following issue. I'm sending JSON data over tcp (9997), the data arrives completly but, the "_time" field that is saved is the actual indexing time instead of  "time" field, that I've added before. I tried to configure props.conf as with JSON and with regex but both hasn't work. What makes things more wired is that some of the logs that contains another timestamp field are indexed with this field. I was also trying to play arround this but nothing helped.  I'm running an all-in-one deployment from a container. Thanks, ------------ props.conf     [evtx] MAX_DAYS_AGO = 10951 #INDEXED_EXTRACTIONS = JSON #KV_MODE = none #TRANSFORMS-jsonextraction = json_extract #TIME_PREFIX = time.:. #TIME_FORMAT = %Y-%m-%dT%H:%M:%S #TIMESTAMP_FIELDS = time CHARSET = UTF-8 INDEXED_EXTRACTIONS = json KV_MODE = none SHOULD_LINEMERGE = false disabled = false pulldown_type = 1 TIME_FORMAT=%Y-%m-%dT%H:%M:%S.%6NZ TIMESTAMP_FIELDS=time LINE_BREAKER = ([\r\n]+) category = Structured description = ODATA SCPI MPL JSON       log sample - time is indexed  based on "Event.NewTime":     { "cribl_breaker":"fallback", "collector":"in_evtx_to_json", "time":"2023-05-18T11:41:20.687637Z", "EventData":{"NewTime":"2023-05-18T11:41:20.697000Z", "PreviousTime":"2023-05-18T11:41:20.707011Z", "ProcessId":"0x46c", "ProcessName":"C:\\Windows\\System32\\svchost.exe", "SubjectDomainName":"NT AUTHORITY", "SubjectLogonId":"0x3e5", "SubjectUserName":"LOCAL SERVICE", "SubjectUserSid":"S-1-5-19"}, "System":{"Channel":"Security", "Computer":"test123", "Correlation":null, "EventID":4616, "EventRecordID":108506811, "Execution":{"#attributes":{"ProcessID":4, "ThreadID":1752}}, "Keywords":"0x8020000000000000", "Level":0, "Opcode":0, "Provider":{"#attributes":{"Guid":"54849625-5478-4994-A5BA-3E3B0328C30D", "Name":"Microsoft-Windows-Security-Auditing"}}, "Security":null, "Task":12288, "TimeCreated":{"#attributes":{"SystemTime":"2023-05-18T11:41:20.687637Z"}}, "Version":1}}       log samle - time is indexed based on arrival time:     {"cribl_breaker":"fallback", "collector":"in_evtx_to_json", "time":"2023-05-06T20:01:58.205343Z", "EventData":{"HandleId":"0x6a30", "ObjectServer":"Security", "ProcessId":"0x4f4", "ProcessName":"C:\\Windows\\System32\\svchost.exe", "SubjectDomainName":"test.local", "SubjectLogonId":"0x3e4", "SubjectUserName":"test", "SubjectUserSid":"S-1-5-20"}, "System":{"Channel":"Security", "Computer":"test123", "Correlation":null, "EventID":4658, "EventRecordID":107343779, "Execution":{"#attributes":{"ProcessID":4, "ThreadID":109608}}, "Keywords":"0x8020000000000000", "Level":0, "Opcode":0, "Provider":{"#attributes":{"Guid":"54849625-5478-4994-A5BA-3E3B0328C30D", "Name":"Microsoft-Windows-Security-Auditing"}}, "Security":null, "Task":12800, "TimeCreated":{"#attributes":{"SystemTime":"2023-05-06T20:01:58.205343Z"}}, "Version":0}}         ... View more