ESA alerts depending of the time in event.time

Discussion created by Uq1lws3RT39tp8reFD8y8NuuHaHt7KaBBIJDVDjgnPY= on Jan 22, 2016
Latest reply on Jan 29, 2016 by David Waugh



I have working ESA rule depending of the time with the following syntax


create context BusinessHours start (0, 9, *, *, *) end (0, 18, *, *, *);



Its works fine but the check is only based on the arrival time  of the log.


How change this behavior to base the check of the time on another meta ?


Examples :

  • event.time for windows events
  • a custom meta (some logs could contains multiple time like start time or stop time)