Page 1 of 1
Time Range
Posted: Tue Nov 12, 2019 10:08 am
by CameronWP
Hi:
I am trying to create a query that I can make an alert between time ranges. I have been trying a few different things...
EventTime: "* 10:00:37" to "* 10:00:50"
...as an example but I am not getting expected results. Is this possible?
Thanks!
Re: Time Range
Posted: Tue Nov 12, 2019 5:43 pm
by cdienger
EventTime is stored as a string by default. To confirm you can run:
Code: Select all
curl -XGET 'localhost:9200/logstash-2019.11.12/?pretty' | more
and look for the EventTime defintion. It would look something like:
Code: Select all
"EventTime" : {
"type" : "string",
"norms" : {
"enabled" : false
},
"fielddata" : {
"format" : "disabled"
},
"fields" : {
"raw" : {
"type" : "string",
"index" : "not_analyzed",
"ignore_above" : 256
}
}
},
You can save it as a date that is searchable with a filter like:
Code: Select all
if ("" in [EventTime]) {
date {
match => [ "EventTime", "yyyy-MM-dd HH:mm:ss" ]
target => "EventTime"
}
}
Then search with something like:
Code: Select all
EventTime:[20191112T10:00:37 TO 20191112T10:00:50]
Note that this filter will only apply to new data and you may need to wait a day for the indices to rotate and allow the new definition to work.
Re: Time Range
Posted: Wed Nov 13, 2019 11:20 am
by CameronWP
Thanks for that! What I am hoping to do is wildcard the date but search between hours. I.E. Every event of a certain type between 5pm and 6am no matter the day. Is that possible?
Re: Time Range
Posted: Wed Nov 13, 2019 4:55 pm
by cdienger
The only way I can come up with would be to further break down the time:
Code: Select all
if ("" in [EventTime]) {
date {
match => [ "EventTime", "yyyy-MM-dd HH:mm:ss" ]
target => "EventTime"
}
grok {
match => ["EventTime", "T%{HOUR:hour}:%{MINUTE:minute}:%{SECOND:second}"]
}
}
and then use a Lucene search like:
Code: Select all
hour:10 && minute:00 && second:[37 TO 50.999]