Create a stream between two times

Graylog Central (peer support)
1

I understand that this will probably involve using the predefined pipeline functions, or creating a new one. What I’m not clear on at this point is specifically where to place the information and how to generate what I need to compare timestamps in log messages.

My specific problem: I want to create a stream for all log messages which occur between 21:00:00UTC and 13:00:00UTC during a given day. From there, I will create alerts based on the value of e.g. the EventType field.

Do I need to generate a current date, then replace the hours with those I need to compare?
Can I create a date that matches all years/months/days with a wildcard?

Is there a way to say in graylog/elasticsearch ‘between these dates’?

2

I would use the “timestamp” field of each message and check that in a pipeline rule.

You can access each component of the time in that timestamp individually (also see DateTime (Joda-Time 2.12.5 API)):

1 Like
3

So the steps would seem to be:

create a rule that keeps only messages that have timestamps after the begin time
create another rule that keeps only messages that have timestamps before the end time

within each rule I would need to create a date object with either the begin or end time and compare with the timestamp from the message. I can deal with generating the string based on the current date info from that object with the expected time, but I’m having trouble seeing how to structure the rules to compare.

Please let me know if any of the above is in error.

4

I think I’m getting warmer here:

rule "off hours"
when
  has_field("timestamp") && (parse_date(to_string($message.timestamp), "YYYY-MM-DDTHH:mm:ss.SSSZ").getHourOfDay() <= 13 || parse_date(to_string($message.timestamp), "YYYY-MM-DDTHH:mm:ss.SSSZ").getHourOfDay() >= 23)
then
  route_to_stream("Messages Off Hours");
end
5

This would be simple to separate into two rules. The problem I’m having is being able to generate a DateTime object for the time to compare. I’m also not clear on the syntax – i.e. how to use the methods of the DateTime class to construct a new object with that time.

6

The problem seems to be that I can’t use any functions of the DateTime object to get the hours as an int to compare. parse_date seems to return an Object, according to the interpreter messages, but I get "Unknown function getHourOfDay for both calls.

7

Got it. Had to use the hourOfDay property and convert to long.

rule "off hours"
when
  has_field("timestamp") && (to_long($message.timestamp.hourOfDay) < 8 || to_long($message.timestamp.hourOfDay) >= 18)
then
  route_to_stream("Messages Off Hours");
end
8

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.