I need to run a rule at 2 am, querying logs from 0 to 2 am, and alert if matches are found.
So far all the rules I created are frequency rules, but I don't know how to achieve the specific time range for the query, and a specific time for the alert, can someone please help?
(I guess the ANY type could let me add my time range as part of the filter....but then how can I run the rule at 2 am every day?)
The now is take the time of the server.
filter:
- range:
"#timestamp":
"from": "now-2h"
"to": "now"
In UTC:
filter:
range:
"#timestamp":
gte: "now/d+0h"
lt: "now/d+2h"
if you want your alert to be effective for specific hours only, you can
create an enhancement that drop the alert if the current time doesnt match your needs
check
https://elastalert.readthedocs.io/en/latest/recipes/adding_enhancements.html
regards
Related
I have indexed data on splunk but i can see the _time(indexed time) is showing wrong like.
I had indexed this data on 19th oct but this is showing like it is indexed on 18th oct.
Please suggest what would be the solution or i need to manually overwrite the _time key with current date time.
Thanks
_time is not the time the event was indexed - that's _index_time. _time is the time the event happened, which usually is different from when it was indexed (because of transport/processing delays).
From your screenshot I see what I presume is the event time ('date' field) differs from _time. That often happens when the time zone is incorrect or is not interpreted correctly. Were that the case here, however, I would expect the difference between date and _time to be a multiple of 30 minutes.
From what I see in the question, it's possible the props.conf settings are causing Splunk to interpret the wrong field as _time. Closer inspection shows the sourcetype ends with "too_small". This is an indication that Splunk does not have specific settings for the sourcetype so it's trying to guess at where the timestamp is (and getting it wrong, obviously).
The solution is to create a props.conf stanza for the sourcetype. It should be something like this:
[json]
TIME_PREFIX = date:
TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%3N%Z
MAX_TIMESTAMP_LOOKAHEAD = 26
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)
TRUNCATE = 10000
Put this settings on your indexer and restart it. Events that arrive after that should have the right time on them.
How do we add days to dates in Orient db?
select sysdate()+1 from safetyplan;
It is giving same output as sysdate().
1 is not getting added. Can you help me, please?
According to Orientdb doc 2.2:
sysdate() returns the current date time. If executed with no parameters, it
returns a Date object, otherwise a string with the requested
format/timezone.
So one possible way is to convert date object to long using .asLong() method of date object.Then do the necessary addition.Convert it back to date using .asDate() method.
Example:To get a day added to current day use:
select sum(sysdate().asLong(),86400000).asDate() from safetyplan;
Note:we are adding in milliseconds and 1 day=1000*60*60*24 milliseconds
NB:Thought that this answers may help someone and sorry for answering my own question.
I would like some clarification on tzs for the Jawbone Moves endpoint: https://jawbone.com/up/developer/endpoints/moves. Is this key going to be present on all response items? If not, what types of records will have it vs those that don't. Additionally, the docs indicate it will be an array of arrays with the following format:
"tzs": [
[1384963500, "America/Phoenix"],
[1385055720, "America/Los_Angeles"]
]
However, I am getting response that look like the following:
"tzs": [[1468410383, -14400]]
Is the second an offset I presume in seconds?
The tzs key will appear in responses from the moves endpoint that provide data for a given day's move. It will always be present, but it will only contain more than one entry if the user changes timezones during the given time period (e.g., the user is travelling).
Here's the explanation from the documentation:
Each entry in the list contains a unix timestamp and a timezone. In most instances the timezone entry is a string containing the Olson timezone.
When the timezone entry is just a number, then you are correct it's the GMT offset in seconds, so -14400 corresponds to US/Eastern
I'm trying to filter tasks by date range and I'm getting errors whatever I try. This is how my request looks like: http://api.podio.com/task?completed=true&created_on%5Bfrom%5D=2016-06-23&created_on%5Bto%5D=2016-06-28&limit=100&offset=0&sort_by=rank&sort_desc=false&space=4671314
Here I'm trying to filter by created_on and I'm suplying {from: "2016-06-23", to: "2016-06-28"} but it's always returning the same error - invalid filter. I'm trying to filter tasks that are created in the last 5 days here.
The tasks API reference can be found in their API docs.
What am I doing wrong?
Date ranges can be separated by -.
To display "all my tasks created between 1st Jan 2014 and 1st Jan 2016" :-
/task?created_on=2014-01-01-2016-01-01&responsible=0'
Podio API get task filtering by date range use below :
/task/?created_on=2017-04-25-2017-05-01&offset=0&sort_by=rank&sort_desc=false&space=xxxxxxx
Trying to get records that were created this year, I stumbled upon this great question. The second answer says you get all records from a model that were created today by saying:
Model.where("created_at >= ?", Time.now.beginning_of_day)
So, naturally, I tried the same thing with Time.now.beginning_of_year, and it works just fine.
However, what struck me as interesting is that the outputted query (I tried it in the console) is
SELECT COUNT(*) FROM `invoices` WHERE (created_at >= '2012-12-31 23:00:00')
I wasn't aware that 2013 already began at 2012-12-31 23:00:00? How's that?
If you haven't set it yet, you should set your timezone in the config/application.rb file. Look for the line that begins with config.time_zone. (If you aren't sure what value to give, you can run rake time:zones:all to get a list of all available timezones.)
Once you've set your timezone, you should use Time.zone.now, as opposed to Time.now. This will properly "scope" your times to your timezone.
Check the API for more details on TimeWithZone.