Hello, i would like to create a rule that uses only today time window (from 00:00 to 24:00), not the last one day. for example, the rule is triggered every 15 minutes. The first check will be at 00:15 and uses time window 00:00 to 00:15 . At 12 check noon, the time window will be 00:00 to 12:00. At 8 night check, the time window is 00:00 to 20:00. At 24:00 check, it will use the whole day 00:00 to 24:00. After that, it will reset back to the first check the next day. Is this possible?
You can add a filter to the "Define your query" section that does date math to get the time range you want.
In this case, you can add a filter on the @timestamp field that sets a range between the beginning of the day, and "now".
In the "For the last" clause, you will want to choose the last 24 hours, as sometimes the time filter will calculate out to a range of that size.
Hope this helps!
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.