Hi Experts,
I have a even like below generated from my application.
{
"index": "exp_prod",
"host": "myhost.com",
"source": "app.logs",
"sourcetype": "_json",
"event": [
{
"Sender": "AZSB",
"Status": "COMPLETED",
"ApplicationMessageType": "utility",
"CustomStatus": "COMPLETED",
"ApplicationMessageId": "",
"MessageGuid": "AF61XzlbeOSc7c1yBkfQ-dTqo8VI",
"LogStart": "2020-05-08T13:31:37.053",
"Receiver": "JMS",
"CorrelationId": "AF61Xzm4KCX0sO8q3PGewmmlZqem",
"LogEnd": "2020-05-08T13:31:37.063"
},
{
"Sender": "AZSB",
"Status": "COMPLETED",
"ApplicationMessageType": "Article",
"CustomStatus": "NA",
"ApplicationMessageId": "180730",
"MessageGuid": "AF61Xzkb-vFb_xEgpfQw1mgNbPc5",
"LogStart": "2020-05-08T13:31:37.046",
"Receiver": "JMS",
"CorrelationId": "AF61XzkvcPiugQGqmXc6LrN3GQ42",
"LogEnd": "2020-05-08T13:31:37.063"
}
]
}
Now when I send this event to Spluk Cloud using HEC, it create two event's but the timestamp if the event is the current timestamp. However I want event time stamp to be populated from LogStart.
How to achieve this? I tried customer source type like below, but the result is same. Please assist.
... View more