Hi,
i have configured a data input to monitor breakable-text logfiles. Now i want to search for events which are created between 7pm and 7am.
I have read the documentation and know i couldn't use the date_hour fields because the events are breakable_text. So i try to fix my problem by using regex but it doesn't work.
The raw data looks like Date/time: 2011-02-03/07:57:34 (2011-02-03/06:57:34 UTC)
host="xtesthost" "Connecting Database" | regex _raw=\d{4}-\d\d-\d\d\/(19|20|21|22|23|00|01|02|03|04|05|06):\d\d:\d\d
If i use the following search sting it works fine but this is only for one hour. 😞
host="xtesthost" "Connecting Database" | regex _raw=\d{4}-\d\d-\d\d\/06:\d\d:\d\d
Have anyone an idea to get all events which are created between 7pm and 7am?
It would be great if anyone can help me.
Try this one:
host="xtesthost" "Connecting Database" | eval hour=tonumber(strftime(_time,"%H")) | where hour>=19 OR hour<7
The eval statement creates a field from the timestamp of the event (the _time field) and the where clause filters events.
Try this one:
host="xtesthost" "Connecting Database" | eval hour=tonumber(strftime(_time,"%H")) | where hour>=19 OR hour<7
The eval statement creates a field from the timestamp of the event (the _time field) and the where clause filters events.
Thank you very much. That's what i need.