Hi, For correlation & profiling the presense of a correct timestamp / eventtime is important, what to do with a device implementing CEF output, but not properly providing the rt field? Also syslogTime is not parsed by the CEF parser.
There is another field present, how can I assure this field is taken as timestamp for further analysis and ingest in ES and HDFS? Also, is it not necessary to have the type of a field set during (CEF) parsing (maybe I am missing something there) Sincerely Pieter
