Hi there,
I have a query whereby I wish to return results over the previous week, but NOT within a specific couple of hours every day. At the moment it looks something like this:
source="*prod-*.log" earliest=-7d@w0 latest=@w7 | where NOT (date_hour>=9 AND date_hour<=11) | stats count by eventtype
However it is not excluding those events which fall between 9 and 11 each day.
If possible, I'd also like to know how to also specify the minutes in the query. e.g.
source="*prod-*.log" earliest=-7d@w0 latest=@w7 | where NOT (time>=9:58 AND time<=10:15) | stats count by eventtype
Please note, I've invented the "time" keyword above to demonstrate what I'm after.
Any help would be appreciated.
Cheers,
Ben
... View more