Before you post: Your responses to these questions will help the community help you. Please complete this template if you’re asking a support question. Don’t forget to select tags to help index your topic!
1. Describe your incident:
Hello all,
I want to display events only between 20 and 6 o’clock in the morning European time. For this I used this script:
Blockquote
rule “Between 6 PM and 6 AM”
when
( to_long(to_date($message.timestamp, “Europe/Berlin”).hourOfDay) >= 0 AND to_long(to_date($message.timestamp, “Europe/Berlin”).hourOfDay) <= 6 ) OR
( to_long(to_date($message.timestamp, “Europe/Berlin”).hourOfDay) >= 20 AND to_long(to_date($message.timestamp, “Europe/Berlin”).hourOfDay) <= 0 )
then
set_field(“trigger_workhours_off”, true);
end
However, also messages are set to true which are outside this time but why?
2. Describe your environment:
OS Information:
5.11 Graylog
Package Version:
Service logs, configurations, and environment variables:
1 μs
Starting message processing
113 μs
Message 84282eb1-6812-11ee-9b15-0050568dd52b running [Pipeline ‘Ereignisse zwischen 20 - 6 Uhr’ (6526355dc5f1507b6a32dde2)] for streams [000000000000000000000001]
157 μs
Enter Stage 0
166 μs
Evaluate Rule ‘Between 6 PM and 6 AM’ (6526367bc5f1507b6a32e042) in Pipeline ‘Ereignisse zwischen 20 - 6 Uhr’ (6526355dc5f1507b6a32dde2)
231 μs
Evaluation satisfied Rule ‘Between 6 PM and 6 AM’ (6526367bc5f1507b6a32e042) in Pipeline ‘Ereignisse zwischen 20 - 6 Uhr’ (6526355dc5f1507b6a32dde2)
240 μs
Execute Rule ‘Between 6 PM and 6 AM’ (6526367bc5f1507b6a32e042) in Pipeline ‘Ereignisse zwischen 20 - 6 Uhr’ (6526355dc5f1507b6a32dde2)
253 μs
Finished execution Rule ‘Between 6 PM and 6 AM’ (6526367bc5f1507b6a32e042) in Pipeline ‘Ereignisse zwischen 20 - 6 Uhr’ (6526355dc5f1507b6a32dde2)
256 μs
Completed Stage 0 for Pipeline ‘Ereignisse zwischen 20 - 6 Uhr’ (6526355dc5f1507b6a32dde2), continuing to next stage
260 μs
Exit Stage 0
268 μs
Finished message processing
First off have you tried just writing the values of the hour to some log messages (move your functions from when to then) and make sure the values are being calculated in the way you would expect.
Set the when clause to true so the rule always runs then in then do a set_field(“hourofday”, $message.timestamp.hourofday) then you can manually check what hours are being written so you can rule out any errors.
rule “Between 12 PM and 6 AM”
when
( to_long(to_date($message.timestamp, “Europe/Berlin”).hourOfDay) >= 0 AND to_long(to_date($message.timestamp, “Europe/Berlin”).hourOfDay) <= 6 ) OR
( to_long(to_date($message.timestamp, “Europe/Berlin”).hourOfDay) >= 18 AND to_long(to_date($message.timestamp, “Europe/Berlin”).hourOfDay) <= 0 )
then
set_field(“Hour”, $message.timestamp.hourofday);
end
rule “Between 12 PM and 6 AM”
when
( to_long(to_date($message.timestamp, “Europe/Berlin”).hourOfDay) >= 0 AND to_long(to_date($message.timestamp, “Europe/Berlin”).hourOfDay) <= 6 ) OR
( to_long(to_date($message.timestamp, “Europe/Berlin”).hourOfDay) >= 18 AND to_long(to_date($message.timestamp, “Europe/Berlin”).hourOfDay) <= 0 )
then
set_field(“trigger_workhours_off”, true);
end
OK i put together something more complete. lack of information makes this hard to troubleshoot.
Test Example.
1.Create a stream for users logging in.
Windows: Users logon with rule for Event ID 4624.
2.Attache pipeline to that stream
Stage 1 has your rule “Between 12 PM and 6 AM”
Stage 2 has your Rule “Route to stream.”
3.Ensure message processors configuration has Pipeline Processor AFTER Message Filter Chain.
4.You have choices after this , either set up you notification to collect the field trigger_workhours_off OR route that field trigger_workhours_off to a stream. Then attach that stream in your notification. Up to you what i posted was simple explanation.
For example:
Rule "Route to stream"
when
has_field("trigger_workhours_off")
then
route_to_stream(id:"5d8acba383d72e04cba96317");
end
Been using this for years. If you have more troubles you may need to show whats going on. hope this helps
