I currently am pulling in event IDs from Windows events for the purpose of monitoring when servers are being rebooted and for what reasons. However, every Monday at 6AM (local server time), there is a scheduled task that reboots the entire fleet which ranges over every time zone in the U.S, and this throws off the dashboard count panels I have created since all 800+ servers are rebooting.
Example of current search:
source="WinEventLog:System" NOT Message=*Explorer.exe* EventCode=1074
So what I would like to do is search through the past 30 days and exclude Mondays from 5 to 7 AM (local server time). I've tried things like "date_wday!=monday" and it seems to break the search telling me to "expand my search range"(and "NOT date=wday="monday"" or any variant doesn't work either).
I've seen people suggest things like:
| eval weekDay = strftime(_time,"%a")
| eval HourOfDay = strftime(_time,"%H")
But I don't quite grasp what is happening here or how to use it.
Below is an example of one of the events that I can see and how its formatted. I noticed that the "Time" field is different from the time in the "Event" field. Should I (or could I) use the date/time from the event to do this? I would think that would always be accurate for what I'm getting at here.
... View more