Design a way to obtain the $Now value or current time of the ArcSight logger to be used in either epoch time or readable in a user defined user column.
Something along the lines of:
deviceVendor = "Microsoft" | rex "\srt=(?<RecTime>[^ ]*)"| eval (int)RecTimeInt=RecTime | eval (int)RecTimeIntPlus=RecTimeInt +100000
I want to be able to retrieve the Logger's current time and (for example) assign it to a user defined field so that I am able to see my most recent events based on the current time.