I need to create a search that calculates the cumulative count of a specific event during the weekend.
I have the following query, that will give me the count of distinct hosts that have EventID 6009. These events can happen anytime during the weekend.
index=win_logs sourcetype=System EventID=6009 | stats dc(host) AS TotalHostCount
I've created an alert that will run this search every 2 hours during the weekends (Saturdays AND Sundays) and send an email with the current count, so we can monitor the progress. I did the schedule using cron.
But I am struggling with the right time modifiers to use with the cron schedule... I want to lock my timeframe to look at events between Saturdays 12:00:00AM and Mondays 12:00:00AM
I tried to use earliest=@w6 and it will lock my search to start on Saturdays but when the alert is triggered again on Sunday, it will be considered a new week (w0) and therefore w6 will be a date in the future messing the whole thing up...
Any ideas ?
Thanks for your suggestion but as I mentioned on my original question, I have to lock in a specific timeframe (Saturdays 12:00:00AM and Mondays 12:00:00AM) and still be able to execute the query every 2 hours during the weekend.
earliest=-1d@w6 will work fine for Sunday, but if I run the query it on Saturday it will give me results from Friday, which is outside the desired timeframe.