welcome @kaaroten
nice work so far!
You only have a little glitch in your rules that might become visible if I rewrite that:
when
to_long(to_date($message.timestamp).hourOfDay) >= 7 AND
to_long(to_date($message.timestamp).hourOfDay) <= 19 AND
to_long(to_date($message.timestamp).dayOfWeek) >= 1 AND
to_long(to_date($message.timestamp).dayOfWeek) < 6
then
That condition could never be positive and the field will never be created. But if you change that to something that can happen - this will work:
when
( to_long(to_date($message.timestamp).hourOfDay) >= 7 AND
to_long(to_date($message.timestamp).hourOfDay) <= 19 ) OR
( to_long(to_date($message.timestamp).dayOfWeek) >= 1 AND
to_long(to_date($message.timestamp).dayOfWeek) < 6 )
then
Get it?
What is also something to keep in mind. the date of the timestamp is UTC so you need to make the times UTC Times. While the documentation give the option to work with timezones, it is actually not working ( https://github.com/Graylog2/graylog2-server/issues/6486 ) but should™ be fixed soonish. After that the following will work properly:
rule "off work hours"
when
( to_long(to_date($message.timestamp, "Asia/Manila").hourOfDay) >= 0 AND to_long(to_date($message.timestamp, "Asia/Manila").hourOfDay) <= 6 ) OR
( to_long(to_date($message.timestamp, "Asia/Manila").hourOfDay) >= 18 AND to_long(to_date($message.timestamp, "Asia/Manila").hourOfDay) <= 0 )
then
set_field("trigger_workhours_off", true);
end
You should also not forgot about weekends - as most companies do not run 24/7
rule "off work weekend"
when
// from Monday (1) to Sunday (7)
to_long(to_date($message.timestamp, "Asia/Manila").dayOfWeek) == 7 OR
to_long(to_date($message.timestamp, "Asia/Manila").dayOfWeek) == 6
then
set_field("trigger_workhours_off", true);
end
regarding having " around true and false - having "true" will create a string that writes true into the field. While just using true will create a boolean what is significant smaller to store. You need to decide what you need in your case.