@madi, thanks for trying this at least I know it is not only me.
To any sysadmin that might find this post via google. the solution I finally implemented is based on the suggestion from @jan, but the rule has to be modified as there is a data type consistency issue, the rule I ended up implementing is:
rule “business hour flag”
when
to_long(to_date($message.timestamp).hourOfDay) >= 9 &&
to_long(to_date($message.timestamp).hourOfDay) <= 21 &&
to_long(to_date($message.timestamp).dayOfWeek) >= 1 &&
to_long(to_date($message.timestamp).dayOfWeek) < 6
then
set_field(“work_hours”, true);
end
Essentially one has to add the to_long to be able to do the comparison.
Still this does not solve my base problem, as I have a ton of logs already in Graylog and I cant apply this pipeline to those, but at least I process new logs as I wanted.
Another problem I have is GL seems to not be respecting TimeZone (in my case “America/New_York”), so I had to do the >= and <= based on UTC which is the default Timezone, so if I would do say:
to_long(to_date($message.timestamp).hourOfDay, “America/Toronto”)
It does not like it and my rule just fails, but I will probably add a different post for that one.