RSA enVision^® Discussions

The way i understand it to work is like this.... 

"Date/Time" will always indicate that of event collection/injection.  The original event's date and time stamp of the message will only be used if:

• the table it's going to contains a second or subsequent Date/Time field other than the original "Date/Time" field. Typically this is seen as EventTime or event_time.   But note that NOT ALL tables have more than one date/time field.  If your table only has one Date/Time field, it's likely used for the collection date/time.

• the xml for the event source must be configured to parse out the original date of the message and know to populate that value into the correct date/time field on the table (mentioned above).  Again, this is often times seen as eventtime or event_time in the xml's.  Do note that even though your table may have a second date/time field, there's a chance that the event source .xml is not configured to use it, i.e. it's not programmed to populate it.  Yes, this happens with out of the box, RSA supported event sources also, so double and triple check.

• You must have both "has timestamp" AND "use timestamp" checked on the device attributes in order for reports to pay attention/use to the original event's date/time value, when running reports or queries.