Skip navigation

Log in to create and rate content, and to follow, bookmark, and share content with other members.

AnsweredAssumed Answered

Esa Time Netwitness 11.3

Question asked by Luca Bernabei on Apr 24, 2020
Latest reply on May 5, 2020 by Rohit Unnikrishnan

Like • Show 0 Likes0
Comment • 1

Hello,

before Netwitness 11.3, we were using the meta "esa.time" in some correlation rules with Esper Date-Time Methods.

After upgrading to version 11.3+ we noticed that the "esa.time" does no longer exists and of course our old rules were no longer deployed.

Is this meta deprecated or replaced with something else?

Thanks

Luca

2 people also have this question

Outcomes

1 Reply

Rohit Unnikrishnan May 5, 2020 10:17 AM
Mark Correct
Correct Answer
Hello Luca,

I would like to understand your usage of the meta "esa.time" within your rules before recommending anything, but the way we define various timestamps wrt the meta are as follows -
1. The meta "esa.time" is used to refer the time when ESA analyzed the event.
2. The meta "event.time" is the time when the event actually occurred, ie, timestamp in log.
3. The meta "time" is when the decoder captured it.
If you would like to use actual event time, you should set your "timeFieldMeta" to "time" or "event.time" whichever you prefer based on the rules. If you didn't, then use-event-time would be set to false, whereby it uses ESA aggregation time "esa.time" for analysis.

Hope this helps.

Thanks.
Rohit
Like • Show 0 Likes0
Actions

Recommended Content