Timestamp between certain hours any day?

hi, i'm working a DFIR case, i'm fairly new to KIbana.
i'm got millions of log entries to sift through. i need to see the log entries of a certain kind that were created after normal business hours any day of the week. for instance:
"Display the ssh logs created from 7pm --> 6am for the last 6 months"

i cant figure out how to do this, any suggestions?

You can create a scripted field "hour of day" and then filter based on it. An example is part of the "Logs" sample data set.

If your data volume is large, this approach can become slow - if you are hit by that, you can move this calculation into the ingest phase by using Logstash or an Elasticsearch ingest pipeline. But IMHO it makes sense to start with a scripted field and see whether it's enough.

1 Like

thank you, this worked.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.