Hello All,
Below is my alert script, and I dont want to have any alerts during night 11:50 to 00:25 midnight, however I am getting them and its triggering alert to the support team. this is the daily restart window for interfaces and no need of alerts during this time.
index=XXX sourcetype=XXX punct="--_::.,_=\"\""
| rex field=_raw "\d*-\d*-\d*\s(?<hour>\d*:\d*):\d*\S\d*\S"
| search hour!=23:50
| search hour!=00:15
| table _time SITE
Appreciate help on this.
Below is the sample event
Find out what the current time is then compare to you window times:
| eval timeNow = strftime(now(), "%H%M")
| where (timeNow < 2350 AND timeNow > 0015) ```Outside of main. window```
correction : no need of alerts during 23:50 to 00:15