09-03-2024 06:20 PM
Question
I want to replace _time field value with original timestamp, but I can not find way to do this.
Please tell me how to replace _time field value or Is this not possible due to specifications?
Background
When we collect logs from XDR Collector, which ingest three fields which related time.
First one is _time, which is generated by XDR Collector.
Second is _insert_time, which is generated by Cortex XDR.
Last one is original timestamp which recorded in log ( which included _raw_log or single dedicate field using parsing rule or filebeat setting)
For example, if I ingest apache http severlog, then it shows like this.
Between _time and datetime(which was created by parsing rule from _raw_log field), there are some gaps around 1 to 10 seconds.
I want to erase these gaps.
09-05-2024 11:42 AM
Hi @H.Fukuda, thanks for reaching us using the Live Community.
The _time fields is a system field that takes the value from the data entry's timestamp. If unknown, then the value is the time the data entry was added to the database. In your case you have a timestamp value in the logs, and looks like is accurate.
Is your "datetime" field rounding to zero the seconds?
09-05-2024 05:19 PM
Hi Jmazzeo,
>Is your "datetime" field rounding to zero the seconds?
No.
To show the gap, I build apache server, and generate log with using shell script which generate log each 10 seconds.
So original datetime field's seconds data will be zero.
09-10-2024 05:15 AM
Unfortunately, these fields will always be shown
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
