I have not found a way to do this yet. I need to search for a message in Graylog which should appear in the log just after 6AM. I need to confirm it is there by 7AM daily with an event definition.
This the basic query to find what I am looking for:
application_name:talend-alljobs AND Done AND source:tldjobndcp* AND NewStageProductReport
I need to either find a way to just run the event definition once a day at 7 AM and look back 1 hour but have not found a way to schedule those just once a day at a specific time of day.
The other way would be to run the event definition every hour looking back 24 hours and put something in the query to make it just look between the hours of 6 and 7AM.
I have found where you can do things like this which finds it if it is withing the last 9 hours:
application_name:talend-alljobs AND Done AND source:tldjobndcp* AND NewStageProductReport AND timestamp:[now-9h TO now]
I need something like timestamp:[midnight+6h TO midnight+7h].
Try to use this pipeline rule as example, to setup new field:
rule "out_of_hours"
when
to_long(now("Europe/London").hourOfDay) >= 0 AND
to_long(now("Europe/London").hourOfDay) < 7
then
set_field("out_of_hours", true);
debug("out_of_hours");
end
I am really new to Graylog. I have been looking for how to create a pipeline rule in the UI and Googling it. In my Google search I just keep seeing people giving examples of rules but not where to go or step by step for creating a rule. The only place in the UI I have found where I could create a rule in the UI is under the Wizard heading. There is a create button there to create an alert rule. Am I missing something?
Thanks
Looks like to setup a pipeline rule you have to have admin rights to the system. I finally got some time from an admin and he created this rule:
rule “ts_hour”
when
has_field(“timestamp”)
then
set_field(“ts_hour”, $message.timestamp.hourOfDay);
end
I figured after that messages would start having a ts_hour field in them but they do not.
Here a couple of other questions:
Is there a way to run and event definition at specific time of day?
Is there a way I can do this with the Fields part of an event definition to get the hour part of the timestamp and then use that in the search query filter like adding AND ts_hour:(>=6 AND <=7)?
