feature request : time periods

[benhank]

If I search for certain log results from say Monday to Friday I get my results.
But I have no way of searching for results from Monday to Friday, but only during the hours of 5pm to 6am.
For example.
I search NLs for "syslog" and hit the "7d" time period
Then I create a filter "errors"
now I will see all "syslog" messages that contained the term "errors" over the last 7 days.
I run to my boss and say ok here are all the errors that happened in the last 7 days.
he says "good, but I only want to see the errors that occurred over the last 7days from the hours of 5pm to 6am."
Can this feature be added to NLS, maybe as a filter or as an addition to the time picker?
Thanks guys!

[mbellerue]

Thank you for the feature request! I will put this in for you.

In order to try to solve the immediate problem, assuming we're looking at Windows event logs as an example, one of the fields is EventTime. You might consider a Grok filter that breaks up EventTime into a date field, and a time field. Then you should be able to use 2 different filters, one to specify the date range, and one to specify the time range.

[benhank]

say that's a good Idea! can you do that with syslogs too?

[mbellerue]

For syslog, it is grabbing the timestamp field. I think timestamp may be different based on the Linux distro that the log files are coming from. For example, I have an Ubuntu server sending logs to Log Server, and the timestamp field shows "Oct 1 09:18:05" That's 2 spaces between Oct and 1, where it will only be one space when we hit a two digit date, like Oct 15. Other distros sending their logs in might just show you the Unix time stamp, in which case, you'll need to convert that to something human readable, and then get it broken out into 2 different fields.

[benhank]

ok thanks you can lock it up

[benjaminsmith]

ok thanks you can lock it up

Closing this out. Have a great weekend!