Hi Clément,
The startTime is the time at which QRadar received the event, so it is not intended to be unique. You can read a bit about the different time stamps in our event objects here:
https://www.ibm.com/support/pages/qradar-event-details-and-difference-between-start-time-storage-time-and-log-source-time
> Is additionnal filtering on EC or EP ID in the AQL search would be a good practice ?
Do you mean by using AQL filters like EXCLUDESERVERS or ARIELSERVERS4EPID that limit what QRadar EPs participate in the query or is there another use case you're talking about?
------------------------------
Chris Fredericks
------------------------------
Original Message:
Sent: Fri March 27, 2020 05:00 AM
From: Clément BONNAL
Subject: Is startTime Event Property unique ?
Hello,
I would like to know if the starttime property on events is unique ?
-> Any risk I found two entries in AQL request with same starttime value ?
Is additionnal filtering on EC or EP ID in the AQL search would be a good practice ?
Thank you.
------------------------------
Clément BONNAL
------------------------------