Time Range

[CameronWP]

Hi:

I am trying to create a query that I can make an alert between time ranges. I have been trying a few different things...

EventTime: "* 10:00:37" to "* 10:00:50"

...as an example but I am not getting expected results. Is this possible?

Thanks!

[cdienger]

EventTime is stored as a string by default. To confirm you can run:

Code: Select all

curl -XGET 'localhost:9200/logstash-2019.11.12/?pretty' | more

and look for the EventTime defintion. It would look something like:

Code: Select all

 "EventTime" : {
            "type" : "string",
            "norms" : {
              "enabled" : false
            },
            "fielddata" : {
              "format" : "disabled"
            },
            "fields" : {
              "raw" : {
                "type" : "string",
                "index" : "not_analyzed",
                "ignore_above" : 256
              }
            }
          },

You can save it as a date that is searchable with a filter like:

Code: Select all

if ("" in [EventTime]) {
date {
match => [ "EventTime", "yyyy-MM-dd HH:mm:ss" ]
target => "EventTime"
}
}

Then search with something like:

Code: Select all

EventTime:[20191112T10:00:37 TO 20191112T10:00:50]

Note that this filter will only apply to new data and you may need to wait a day for the indices to rotate and allow the new definition to work.

[CameronWP]

Thanks for that! What I am hoping to do is wildcard the date but search between hours. I.E. Every event of a certain type between 5pm and 6am no matter the day. Is that possible?

[cdienger]

The only way I can come up with would be to further break down the time:

Code: Select all

if ("" in [EventTime]) {
date {
match => [ "EventTime", "yyyy-MM-dd HH:mm:ss" ]
target => "EventTime"
}
grok {
  match => ["EventTime", "T%{HOUR:hour}:%{MINUTE:minute}:%{SECOND:second}"]
}
}

and then use a Lucene search like:

Code: Select all

hour:10 && minute:00 && second:[37 TO 50.999]