ArcSight 5.5 Query on trend does only allow Timestamp as Timestamp field and not EndTime
Hi i have a trend with a trend interval configured for every hour.
Additionally I created a query filtering further on this trend. In the "Use as TimeStamp" attribute i can only select "TimeStamp" as value but not the Field EndTime that is also included in the trend.
Is there any way to select EndTime as TimeStamp Field in a Query that is pointing to a trend?
In addition does anyone know if the Row Limit that is set in the trend is applied per partition or to the whole trend.
E.g. If i set the Trend interval to 1 hour, Partition Size Weekly and Row Limit to 1 000 0000
or If i set the Partition Size to Daily with the same Row Limit.
I assume the Row Limit is set per Partition but the manual does not state it clearly.