I have working ESA rule depending of the time with the following syntax


create context BusinessHours start (0, 9, *, *, *) end (0, 18, *, *, *);



Its works fine but the check is only based on the arrival time  of the log.


How change this behavior to base the check of the time on another meta ?


Examples :

  • event.time for windows events
  • a custom meta (some logs could contains multiple time like start time or stop time)