Log Monitor - How to use receipt time?

Comments

2 comments

  • Official comment
    Avatar
    Graham Watts

    Hi Tim,

    I am confirming with my alerting Product Manager but I believe using _receiptTime for Logs Monitors is not yet supported. You may need to use Scheduled Searches for this.

    Also, which source type has a 40 minute delay? If it is S3 based I recommend setting up S3 Event Notification (SNS) integration on your S3 source to make collection immediate. 


    Speak soon,

    Graham

    Comment actions Permalink
  • Avatar
    Tim Jordan

    Thanks for the response, the particular source we are having issues with is the S3, which we will be switching to SNS. However, my experience has been with things like Microsoft 365, Mimecast and installed collectors there can be at times be a significant differences between receipt and event time, the latter sometimes due to system outages, etc.

    Due to this I have always used receipt time to make sure I won't miss any events, as for various reasons there are times when some sources just don't send events promptly enough.

    Any idea when the_receipttime may be supported?

    Thanks,

    Tim

    0
    Comment actions Permalink

Please sign in to leave a comment.