Indexer failure should use the timestamp when the failure happens and not the timestamp of the event it tries to store.
Current Behavior
Event timestamp is used.
Steps to Reproduce (for bugs)
Setup timestamp matching for incoming logs
Send in a log event with timestamp in the past and which can't be indexed (e.g. use a wrong data type in field)
Context
The failure is the interesting event that should be logged with the actual timestamp it happens. If I'm ingesting older logs the indexer failures log does not make any sense.
hulkk
commented
3 years ago
Expected Behavior
Indexer failure should use the timestamp when the failure happens and not the timestamp of the event it tries to store.
Current Behavior
Event timestamp is used.
Steps to Reproduce (for bugs)
Context
The failure is the interesting event that should be logged with the actual timestamp it happens. If I'm ingesting older logs the indexer failures log does not make any sense.
Your Environment