I installed this add-on/app on Heavy Forwarder and configured inputs as:
Name: oms_test_env Interval: 60 Index: main Resource Group: xxxx Workspace Name: xxxx Subscription ID: xxxxx Tenant ID: xxxx Application ID: xxxx Application ID: xxxx Log Analytics Query: search * Start Date: 15/08/2018 00:00:00 Event Delay/ lag Time: 15
Modified Line number 91
value = str(data["tables"]["rows"][i][n]).replace('"',"'").replace("\", "\\").replace("None", "")
value = str(data["tables"]["rows"][i][n]).replace('"',"'").replace("\", "\\").replace("None", "").replace("\r\n","")
This will remove newlines and carriage returns if the field value is dictionary. Due to field values have dictionary and it contains new lines I could see line breaking. This change will avoid line breaking
one more : The TA is indexing the data with current time not with the event time
Timestamp Mapping - add below code to local/props.conf if you have installed TA on HF OR add to Indexer.
TIME_FORMAT = %Y-%m-%dT%H:%M:%S%Z
TIME_PREFIX = "TimeGenerated":"
One more: TA is not supporting multi inputs
Since your checkpoint can't differentiate input name.
Hope you consider all these changes and update the TA or I will try to complete TA which I am already working on.
yes I had an similar issue like I created an input and due to our internal problem ports were got disabled..then I created new input and given fetch date as old date with new index..
but in new index timestamp was from date previous input was disabled.
TA is not looking for event timestamp(TimeGenerated), TA will index events with time when you fetch.
@thambisetty, yes TA will index events with time I fetch ...but I schedule it for 60 sec to run..so there should not be much lag...
I think @jkat54 pointed out regarding UTC...