Hey syoc, thanks for your response.
In that case, I might just remove rotate-interval. Hopefully that works.
Suricata will flush some state between each pcap file when processing them in “continuous mode”. That is when Suricata is not stopped between each pcap.
I’m not sure if this affects me, I’m not running Suricata with the pcap-file-continuous option, instead I am having a separate tool explicitly send pcap files to Suricata by using suricatasc with the pcap-file command.
When you say, “flush some state.” does that affect the output found in an eve.json alert?