[graylog2] Re: Searching by timestamp range

Tue, 20 Oct 2015 16:52:04 -0700 

I ended up writing a MessageFilter plugin that intercepts the messages and 
explodes the "timestamp" field into parts:

private void explodeDateField(String field, Message message) {
    if (message.hasField(field)) {

        Object fieldValue = message.getField(field);
        if (fieldValue != null) {
        try {

                //try to interpret the field as a date
                DateTime date = new DateTime(fieldValue);
                //assuming we have a valid date here, add the parts back on the 
message
                message.addField(field + "_dow", date.dayOfWeek().get());
                message.addField(field + "_day_week", 
date.dayOfWeek().getAsText());

                message.addField(field + "_day", date.dayOfMonth().get());
                message.addField(field + "_day_year", date.dayOfYear().get());
                message.addField(field + "_month", date.monthOfYear().get());
                message.addField(field + "_year", date.year().get());

                message.addField(field + "_hour", date.hourOfDay().get());
                message.addField(field + "_minute", date.minuteOfHour().get());

            }
        } catch (IllegalArgumentException e) {
            log.debug("IllegalArgumentException thrown - Could not parse 
timestamp", fieldValue);
        } catch (Exception e) {
            log.error("Exception thrown '", e.getMessage());
        }
    }
}


So now I can do queries like:

timestamp_day_week:(Sunday Saturday) OR (timestamp_day_week:(Monday Tuesday 
Wednesday Thursday Friday) AND (timestamp_hour:[17 TO 23] OR 
timestamp_hour:[0 TO 9]))

Which should find all events occurring outside of M-F 9am-5pm

Not terribly pretty, but it works. 

On Tuesday, October 20, 2015 at 10:39:49 AM UTC-6, Jesse Skrivseth wrote:
>
> Hello everyone, 
>
> Is there a way to do a search for all records with a timestamp that is 
> outside normal business hours? I can't seem to do ranges on timestamps, 
> ignoring the date. 
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/a30b0858-a204-41d0-a916-455819528248%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to