I have a custom command written with the Python SDK 1.5. It takes in events, and then emits multiple events for each incoming event (with the same _time value).
I have overrides_timeorder = true (shouldn't be necessary).
I sporadically get the "The external search command 'netbotzextract' did not return events in descending time order, as expected".
How can this happen with overrides_timeorder = true. How did I track down why Splunk thinks that the events in coming in out of time order?
↧