Hello,
I am creating a canvas where I would like to show some anomalies in my cluster, and I wanna create something that show me if a new user in my AD has been created between midnight and 7am for example.
I have this SQL which allow me to see the number of users created, but I don't know how to add the timestamp condition:
SELECT COUNT(*) as user_added
FROM "winlogbeat-*"
WHERE "event.code" = 4720
Could you please help me ?
Thanks 
Over all time? Or only over the last X days?
There might be several ways to do this, but sounds like you need an "hour of day" kind of filter. Seems like this would be best handled by an upcoming feature in 7.11 called "Runtime fields" which will give you the capability to define arbitrary new fields that are not in the mappings.
The above example creates "day of week", but certainly hour of day would just be as easy.
But, it might be about a month until 7.11 is released. In the meantime, you could investigate using a Transform with a scripted metric aggregation (to create an "hour of day" field) and have the transform put this in a new index - one that you query from Canvas.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.
