Uq1lws3RT39tp8reFD8y8NuuHaHt7KaBBIJDVDjgnPY=

ESA alerts depending of the time in event.time

Discussion created by Uq1lws3RT39tp8reFD8y8NuuHaHt7KaBBIJDVDjgnPY= on Jan 22, 2016
Latest reply on Jan 29, 2016 by David Waugh

Hi,

 

I have working ESA rule depending of the time with the following syntax

@Name('BusinessHours')

create context BusinessHours start (0, 9, *, *, *) end (0, 18, *, *, *);

...

 

Its works fine but the check is only based on the arrival time  of the log.

 

How change this behavior to base the check of the time on another meta ?

 

Examples :

  • event.time for windows events
  • a custom meta (some logs could contains multiple time like start time or stop time)

Outcomes