I have setup an alert to run a search every 10 minutes which looks for a specific Event Code and a Message string. I want this to return results except for times between 12:30am and 1:30am. How can I do this? I tried the following below but it is not working:
index=*-windows-logs EventCode=7036 Message="Service Entered A Running State" | sort - _time | eval myHour=strftime(_time, "%H") | eval myMinute=strftime(_time, "%M") | where NOT ( (myHour > 00 AND myMinute >30 ) AND (myHour <01 AND myMinute < 30) ) | table _time, ComputerName, Message
UPDATED:
....
| where NOT ( (myHour="00" AND myMinute >30 ) OR (myHour="01" AND myMinute < 30))
| table _time, ComputerName, Message
OR
....
| where NOT ( (myHour=0 AND myMinute >30 ) OR (myHour=1 AND myMinute < 30))
| table _time, ComputerName, Message
hi, @johann2017
how about this?
myHour can use by both string and number.
However, numbers must be treated as described above.
UPDATED:
....
| where NOT ( (myHour="00" AND myMinute >30 ) OR (myHour="01" AND myMinute < 30))
| table _time, ComputerName, Message
OR
....
| where NOT ( (myHour=0 AND myMinute >30 ) OR (myHour=1 AND myMinute < 30))
| table _time, ComputerName, Message
hi, @johann2017
how about this?
myHour can use by both string and number.
However, numbers must be treated as described above.
One more question, how can I exclude a larger time range? It seems that this works great for excluding within the same hour, but for instance if try to exclude between 00 and 04 it does not work properly. Example below:
index=*-windows-logs EventCode=7036 Message="Service Entered A Running State" | sort - _time | eval myHour=strftime(_time, "%H") | eval myMinute=strftime(_time, "%M") | where NOT ( (myHour > 00 AND myMinute >00 ) AND (myHour <04 AND myMinute < 00) ) | table _time, ComputerName, Message
Also, how can I tell the search to only run within a specific timeframe, lets say between only 8am - 5pm?
you can use index=your_index earliest=01/09/2020:08:00:00 latest=01/09/2020:17:00:00 Remaining search
Thanks @snallam123 !!
That seems to have done it! Thanks!