[graylog2] Re: Searching by timestamp range

Tue, 20 Oct 2015 16:53:33 -0700 

I ended up writing a MessageFilter plugin that intercepts the messages and 
explodes the "timestamp" field into parts:

private void explodeDateField(String field, Message message) {
    if (message.hasField(field)) {

        Object fieldValue = message.getField(field);
        if (fieldValue != null) {
            try {
                //try to interpret the field as a date
                DateTime date = new DateTime(fieldValue);
                //assuming we have a valid date here, add the parts back on the 
message
                message.addField(field + "_dow", date.dayOfWeek().get());
                message.addField(field + "_day_week", 
date.dayOfWeek().getAsText());

                message.addField(field + "_day", date.dayOfMonth().get());
                message.addField(field + "_day_year", date.dayOfYear().get());
                message.addField(field + "_month", date.monthOfYear().get());
                message.addField(field + "_year", date.year().get());

                message.addField(field + "_hour", date.hourOfDay().get());
                message.addField(field + "_minute", date.minuteOfHour().get());
           } catch (IllegalArgumentException e) {
               log.debug("IllegalArgumentException thrown - Could not parse 
timestamp", fieldValue);
           } catch (Exception e) {
               log.error("Exception thrown '", e.getMessage());
           }

        }
    }
}


So now I can do queries like:

timestamp_day_week:(Sunday Saturday) OR (timestamp_day_week:(Monday Tuesday 
Wednesday Thursday Friday) AND (timestamp_hour:[17 TO 23] OR 
timestamp_hour:[0 TO 9]))

Which should find all events occurring outside of M-F 9am-5pm

Not terribly pretty, but it works. 

On Tuesday, October 20, 2015 at 10:39:49 AM UTC-6, Jesse Skrivseth wrote:
>
> Hello everyone, 
>
> Is there a way to do a search for all records with a timestamp that is 
> outside normal business hours? I can't seem to do ranges on timestamps, 
> ignoring the date. 
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/a4108268-f8b1-40d5-978e-307193506b5a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to