From 044aa9e9a089674cbefce18cb2afe191616964f9 Mon Sep 17 00:00:00 2001
From: Sean Whalen <seanthegeek@users.noreply.github.com>
Date: Sat, 29 Nov 2025 20:50:13 -0500
Subject: [PATCH] Include interval_begin in splunk output for accurate
 timestamping

---
 parsedmarc/splunk.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/parsedmarc/splunk.py b/parsedmarc/splunk.py
index 3e218fb..16fcfc6 100644
--- a/parsedmarc/splunk.py
+++ b/parsedmarc/splunk.py
@@ -78,6 +78,7 @@ class HECClient(object):
                 new_report = dict()
                 for metadata in report["report_metadata"]:
                     new_report[metadata] = report["report_metadata"][metadata]
+                new_report["interval_begin"] = report ["interval_begin"]
                 new_report["published_policy"] = report["policy_published"]
                 new_report["source_ip_address"] = record["source"]["ip_address"]
                 new_report["source_country"] = record["source"]["country"]
@@ -98,7 +99,7 @@ class HECClient(object):
                     new_report["spf_results"] = record["auth_results"]["spf"]
 
                 data["sourcetype"] = "dmarc:aggregate"
-                timestamp = human_timestamp_to_unix_timestamp(new_report["begin_date"])
+                timestamp = human_timestamp_to_unix_timestamp(new_report["interval_begin"])
                 data["time"] = timestamp
                 data["event"] = new_report.copy()
                 json_str += "{0}\n".format(json.dumps(data))