Hi,
I need to create a search that calculates the cumulative count of a specific event during the weekend.
I have the following query, that will give me the count of distinct hosts that have EventID 6009. These events can happen anytime during the weekend.
**index=win_logs sourcetype=System EventID=6009 | stats dc(host) AS TotalHostCount**
I've created an alert that will run this search every 2 hours during the weekends (Saturdays AND Sundays) and send an email with the current count, so we can monitor the progress. I did the schedule using cron.
But I am struggling with the right time modifiers to use with the cron schedule... **I want to lock my timeframe to look at events between Saturdays 12:00:00AM and Mondays 12:00:00AM**
I tried to use earliest=@w6 and it will lock my search to start on Saturdays but when the alert is triggered again on Sunday, it will be considered a new week (w0) and therefore w6 will be a date in the future messing the whole thing up...
Any ideas ?
Thanks!
↧