When I run the following search using All time (real-time) no results are returned;
* AND (date_hour!=13 OR date_minute<50 OR date_minute>55)
Why is this? When I change the time range to 30 second window the expected results are returned. I wanted to create a real-time alert based on the search but it never triggers.
* will be replaced by the actual search parameters, I just wanted to make sure I get lots of events to check whether my time window filter works correctly. I started with all filters and found out that no results are returned as soon as I add the time window filter. The alert will be using a sliding 5 minute window with additional search parameters.