Splunk TA for Suricata: Should TIME_PREFIX=event_second": be changed to TIME_PREFIX=timestamp": in props.conf?

Our suri nodes have "timestamp" as a prefix for {"timestamp":"2016-02-29T10:11:26.037993+0100", "flow_id":140671543700208, "in_iface":"etthxxx", "event_type":"alert", "src_ip":"198.51.44.3", "src_port":53, ... .. Has this changed recently? If so, it might be worth updating the app to something like: cat TA-Suricata/default/props.conf [post_suricata_eve] SHOULD_LINEMERGE = true TIME_PREFIX=timestamp": BREAK_ONLY_BEFORE = ^{ KV_MODE = json Regards Chris