Search based on event time allows the user to easily find an event by executing a search based on the time this one actually occurred or was received in Logger. When executing a search or an operation that depends on it, search type parameter is added and could be one of the following:
• End time (Event Time): Look for events that occurred within the time range specified.
• Logger Receipt time: Look for events received by Logger within the time range specified.
Enable/disable (applies to non-indexed fields searches):
By default, this feature is enabled. However, the user has the possibility of disabling it at a global scale during the ingestion and replace the event time by the receipt time for all the events sent to Logger. To disable it, access the Logger properties file and set the following: receivers.timeparsing.enable=false. Then, restart the receivers process.
Search end time and CEF
End time search is only supported in CEF events. For non CEF events, Logger uses the receipt time as search time.
In CEF events, the event time is displayed as EndTime field (“end” in the raw event). If this is not available, Logger uses the ReceiptTime field instead (“rt” in the raw event). In case none of the values (“rt” and “end”) are available, Logger will use the ReceiptTime as the default option.
Searches based on event time for CEF events must contain millisecond values for EndTime (“end”) or ReceiptTime (“rt”) fields. Other search formats for this search type functionality are not currently supported by Logger.