henridf
commented
4 years ago Figuring out how to handle the timestamp location (Suricata puts them in a field named timestamp) is related to this but is part of https://github.com/brimsec/zq/issues/1028.
Design and implement the means by which suricata's json alerts from the eve.json output file will be converted into zng. The solution will likely involve something à la types.json, but if some other approach turns out to be simpler/faster, let's not exclude it off the bat.