We are trying out the new monitor functionality for logs, however we are running into an issue where the monitor isn't firing because the message are not received within the search window. For example, the search window is 30 minutes, but there is a delay which means the log that triggers the event is received 40 minutes after the time-stamp on the log.
In this scenario I am seeing the monitor is not being triggered. A simple solution would be to base the monitor search query on receipt time instead of message time.
Does anyone know how to use the receipt for log monitors instead of the message time?
Please sign in to leave a comment.