I’m trying to add a tag to all traffic in a stream at certain times to enable me to send alerts for things only between 22:00 and 07:00.
I have this working ok thanks to help from the below articles but I cant get the “withZone GMT+1” tag to work correctly, I’m in the UK which is GMT+1 at present. I have also tried UTC+1 to no avail. I have two questions if anyone can help.
I cant seem to get it to work from say 22:00 - 07:00, is this possible without creating 2 rules one for 22:00-00:00, and one for 00:00-07:00 ? - the rule stops working if i set it to 22:00-07:00.
Is the time offset parameter working now ? if so what am I doing wrong ?
Links to articles I used :
My pipeline:
rule “out_of_hours”
when
( to_long(to_date($message.timestamp, “withZone GMT+1”).hourOfDay) >= 00 AND
to_long(to_date($message.timestamp, “withZone GMT+1”).hourOfDay) < 07 ) AND
( to_long(to_date($message.timestamp, “withZone GMT+1”).dayOfWeek) >= 1 AND
to_long(to_date($message.timestamp, “withZone GMT+1”).dayOfWeek) <= 5 )
then
set_field(“out_of_hours”, true);
end
Expected behaviour: the time will adjust to compensate for UK time
Actual behaviour: the time is always UTC so 1 hour out
Thanks for your idea shoothub, iv just tryed it, unfortunatly seems to be still behaving the same always UTC wich is an hour behind my time zone, i tryed,
I found a workaround for you. There is still a bug in function to_date in latest version of graylog 3.3.1, but I found solution.
Try to replace: to_long(to_date($message.timestamp, “withZone GMT+1”).hourOfDay)
with to_long(now("Europe/London").hourOfDay)
so your complete rule would be:
rule “out_of_hours”
when
to_long(now(“Europe/London”).hourOfDay) >= 0 AND
to_long(now(“Europe/London”).hourOfDay) < 7 AND
to_long(now(“Europe/London”).dayOfWeek) >= 1 AND
to_long(now(“Europe/London”).dayOfWeek) <= 5
then
set_field(“out_of_hours”, true);
debug(“out_of_hours”);
end
To: @jan Can you confirm, that bug it is still present in latest graylog, and in which version can we expect resolution of bug?
