As @jan already described in Graylog Alerting Question, you could write a pipeline rule which checks if the “timestamp” field contains a timestamp between 0 and 6 o’clock, and then set a custom flag field.
Once the field’s there, you can create an alert condition which checks the field content and triggers an alert if your conditions have been met.
Example:
rule "Between 0 and 6 o'clock"
when
to_date($message.timestamp).hourOfDay >= 0 && to_date($message.timestamp).hourOfDay <= 6
then
set_field("trigger_alert", true);
end
I want to do other scenarios, such as the detection of several unsuccessful ssh attempts, followed by a success for the same user, is it possible to do that on graylog ?