raflyalk
commented
1 year ago Hi @JasonConger, wouldn't you think it would be better to use the TimeGenerated column on the query results to the _time as Splunk indexed timestamp, so the time the event was done can be in sync with Splunk and the Splunk time picker works as expected to show the correct event in the correct timestamp.
Starting a new issue based on a the thread in #9. Currently, the KQL input relies on the KQL input to provide a relative range and uses the input interval to execute that relative range. For example, a relative range may look something like this:
AzureActivity | where TimeGenerated between (now(-30d)..now()). The request is to add a start date to the KQL input and checkpoint the data returned instead of relying on the query.