Esa Time Netwitness 11.3
before Netwitness 11.3, we were using the meta "esa.time" in some correlation rules with Esper Date-Time Methods.
After upgrading to version 11.3+ we noticed that the "esa.time" does no longer exists and of course our old rules were no longer deployed.
Is this meta deprecated or replaced with something else?
- Community Thread
- ESA Rules
- Forum Thread
- netwitness 11.3
- RSA NetWitness
- RSA NetWitness Platform
I would like to understand your usage of the meta "esa.time" within your rules before recommending anything, but the way we define various timestamps wrt the meta are as follows -
- The meta "esa.time" is used to refer the time when ESA analyzed the event.
- The meta "event.time" is the time when the event actually occurred, ie, timestamp in log.
- The meta "time" is when the decoder captured it.
If you would like to use actual event time, you should set your "timeFieldMeta" to "time" or "event.time" whichever you prefer based on the rules. If you didn't, then use-event-time would be set to false, whereby it uses ESA aggregation time "esa.time" for analysis.
Hope this helps.