Idea ID: 2877675

Retrieve and display Logger's Current $now time for use in search/reporting

Status: New Idea

 Design a way to obtain the $Now value or current time of the ArcSight logger to be used in either epoch time or readable in a user defined user column.

Something along the lines of:

deviceVendor = "Microsoft" | rex "\srt=(?<RecTime>[^ ]*)"| eval (int)RecTimeInt=RecTime | eval (int)RecTimeIntPlus=RecTimeInt +100000

I want to be able to retrieve the Logger's current time and (for example) assign it to a user defined field so that I am able to see my most recent events based on the current time.