Alerting

Can the date_hour, date_minute and date_second fields be used in realtime searches?

Communicator

When I run the following search using All time (real-time) no results are returned;

* AND (date_hour!=13 OR date_minute<50 OR date_minute>55)

Why is this? When I change the time range to 30 second window the expected results are returned. I wanted to create a real-time alert based on the search but it never triggers.

0 Karma

Communicator

I found a workaround:

* | search (date_hour!=13 OR date_minute<50 OR date_minute>55)

But to be honest, I have no idea why this works...

0 Karma

Builder

You say when you set it to a 30-sec window it works, but what window do you want to use?
Also, why are you searching for just *?

0 Karma

Communicator

* will be replaced by the actual search parameters, I just wanted to make sure I get lots of events to check whether my time window filter works correctly. I started with all filters and found out that no results are returned as soon as I add the time window filter. The alert will be using a sliding 5 minute window with additional search parameters.

0 Karma

Builder

It might be that you're getting too many results. Is this a table? Or is it a graph?

0 Karma

Communicator

I just run the search above and use the events viewer. The 30 seconds window returns around ~70 results.

0 Karma