Is there a way to make a query on the agentReceiptTime field on the logger v.5.2? I tried to do one and I receive the error message: The search cannot be run, there is an error in your query: Field [agentReceiptTime] is not a field that can be searched on. Also, this field seems not indexable.
We are currently migrating events from our old logger to the new one and the original event time, on the migrated events, is stored in the field "agentReceiptTime". On the new logger, the event time is the time where the new logger received the event from the old logger.
Thank you very much!
I have never attempted this, so look at it as something to look into only.
Could you use the feature in 5.2 that allows you to add a schema field (via system maintenance) to add the field you need ? if this was not a field that ArcSight already uses I would feel more configent about it. Not sure the ramifications of trying to add a field ArcSight normally uses. Might be worth asking support if you can do this ?