Hello,
I would like to set up an alert that can warn me if there is a connection on one of my servers between 10:00 in the evening and 8:00 in the morning, but to be honest I really can’t understand and I can’t find any explanation for my case on the internet, Does anyone know how to do that?
Thank you
Hello @Cruciani_Elliot
Unless there has been a change recently, querying individual components of the Timestamp field (to add it to your Search Query in your event definition) is not possible. What you could do however is set up a pipeline that copies components of the timestamp into fields and then use those for querying.
So, in your pipeline you will:
set_field("ts_hour", $message.timestamp.hourOfDay);
Then in your event definition:
AND ts_hour:(>=22 AND <=8)
Hi @ttsandrew,
Thank you for your answer, I created a pipeline connected to my stream and I wrote this rule:
rule "time_verificarion"
when
contains(to_string($message.message), "USER")
then
set_field("ts_hour", $message.timestamp.hourOfDay);
end
Is that all right?
In addition, I do not understand too much once about the conditions of the event. Do I do it using filter or aggregation? Because I can’t find the function I just created
Hello @Cruciani_Elliot
I think that rule should work assuming you only want to modify messages containing the word USER in the message body.
Now you should be able to use that field ts_hour in a filter of an event definition.
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.