Log Monitor - How to use receipt time?

Follow

Tim Jordan

• April 01, 2021 00:11

We are trying out the new monitor functionality for logs, however we are running into an issue where the monitor isn't firing because the message are not received within the search window. For example, the search window is 30 minutes, but there is a delay which means the log that triggers the event is received 40 minutes after the time-stamp on the log. 

In this scenario I am seeing the monitor is not being triggered. A simple solution would be to base the monitor search query on receipt time instead of message time.

Does anyone know how to use the receipt for log monitors instead of the message time?

1

• Official comment

  

  Graham Watts

  • April 01, 2021 04:41

  Hi Tim,
  
  I am confirming with my alerting Product Manager but I believe using _receiptTime for Logs Monitors is not yet supported. You may need to use Scheduled Searches for this.
  
  Also, which source type has a 40 minute delay? If it is S3 based I recommend setting up S3 Event Notification (SNS) integration on your S3 source to make collection immediate. 

  
  Speak soon,
  
  Graham

  Comment actions Permalink
• 

  Tim Jordan

  • April 01, 2021 05:11
  • Edited

  Thanks for the response, the particular source we are having issues with is the S3, which we will be switching to SNS. However, my experience has been with things like Microsoft 365, Mimecast and installed collectors there can be at times be a significant differences between receipt and event time, the latter sometimes due to system outages, etc.
  
  Due to this I have always used receipt time to make sure I won't miss any events, as for various reasons there are times when some sources just don't send events promptly enough.
  
  Any idea when the_receipttime may be supported?
  
  Thanks,

  Tim

  0

  Comment actions Permalink

Please sign in to leave a comment.