What's your event breaker configured as?

unfortunately that event comes in via syslog (I know, stupid but that is how it comes in) so no event breaker

`%Y %B %d %H:%M:%S`?

https://github.com/d3/d3-time-format#api-reference

i have tried a time format as well to no avail. I was thinking the UTC at the end was doing it. I will keep trying stuff.

its weird as I have the event in JSON format and I can see the field _raw.Alert.timestamp. I try to apply that field as my auto timestamp and it does not use it. just a strange one.

That timestamp format I used works for me.

yeah i dont know whats up

Have you tried Auto Timestamp + setting an Additional Timestamp regex?I had to use this method for something that I think should worked out-the-box with the AWS event breaker ruleset.

I did try that and it still did not work.

Maybe the timestamp is quite ahead in the event, in the auto time stamp function, under advanced you can increase this setting to make it look further

It was basically this Eval Function that fixed the issue with time:

```_raw = JSON.parse(_raw)_time = +C.Time.strftime(C.Time.strptime(_raw.Alert.timestamp,'%Y %B %d %H:%M:%S'),'%s')```

You have to first parse the JSON string into an Object, then you can refer to the exact fieldname `_raw.Alert.timestamp` and pull out the time based on the format of the timestamp.

Thanks for posting, got busy and forgot.

IN & OUT

Thanks for providing clean data so I can share the summary easier

Always happy to help

Same expression can also be used in AutoTimeStamp but you have to know the length of the event to know how raw to look. Funny I started with 500 with the Start Scan Offset as a guess to the length of the event and it was 716. It didn't look that big to my eyes honestly.Start Scan Offset

Nice

You can also adjust the Max Timestamp Scan Depth too!

But now you see why I like to convert to an object because I don't always wanna guess the event length as the timestamp can be anywhere in the event in some cases.