QUESTION

I have created a custom schema in Panther. The p_event_time field is not getting the value of the field that corresponds to the time that the event was created (the CreateTime field from my custom schema), but instead, it's taking the value of the field p_parse_time.

How can I amend this, and how does Panther know which field to choose if we set multiple fields with the datatype as timestamp?

ANSWER

To correct this behavior, add the isEventTime: true statement to the field CreateTime in your schema. This allows Panther to know which field should be used to populate the field p_event_time. Ensure that the type is set to timestamp. For example:

fields:
  - name: CreateTime
    type: timestamp
    timeFormats:
      - unix
    isEventTime: true

By default, if no event time is specified for your log schema, Panther will set p_event_time equal to the parse time.