Hey Guys,
I am creating my custom rule to monitor the filebeat-* events to monitor login events only between 09:00 to 20:00. And needs to send an alert if any event happens after the said period. Can we do that with custom rules?
Can someone pls advise?
If you're only looking for login events between some period of time you might be able to use date math like so:
@timestamp >= "now/d+9h" and @timestamp <= "now/d+20h"
See here:
https://www.elastic.co/guide/en/elasticsearch/reference/current/common-options.html#date-math
I tried it out with a rule and it looked like it worked against some filebeat data I had and produced results between 9 and 20 hours running.
Dang why I didnt think of that but thanks for the clue buddy!!.
let me try that.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.