I have created a custom schema in Panther. The p_event_time
field is not getting the value of the field that corresponds to the time that the event was created (the CreateTime
field from my custom schema), but instead, it's taking the value of the field p_parse_time
.
How can I amend this, and how does Panther know which field to choose if we set multiple fields with the datatype as timestamp?
To correct this behavior, add the isEventTime: true
statement to the field CreateTime
in your schema. This allows Panther to know which field should be used to populate the field p_event_time
. Ensure that the type
is set to timestamp
. For example:
fields:
- name: CreateTime
type: timestamp
timeFormats:
- unix
isEventTime: true
By default, if no event time is specified for your log schema, Panther will set p_event_time
equal to the parse time.