Can anyone please help?
I want to display the total count of events occurred in a week (but excluding specific day/time i.e. exclude 04-06 PM for Monday and 06-08 PM for Wednesday)
I am running below search, but it doesn't seem to be excluding the counts for specific time because if I am trying to remove the excluding condition, I am still getting the same results.
sourcetype=web_server events IN ("GET", "Delete")
| eval myHour=strftime(_time, "%H")
| eval myMinute=strftime(_time, "%M")
| eval day_of_week = strftime(_time,"%A")
| where NOT ( (day_of_week = "Monday" AND myHour= 4 AND myMinute>=0) OR (day_of_week = "Monday" AND myHour=5) OR (day_of_week = "Monday" AND myHour=6 AND myMinute<=59) OR (day_of_week = "Wednesday" AND myHour= 6 AND myMinute>=0) OR (day_of_week = "Wednesday" AND myHour=7) OR (day_of_week = "Wednesday" AND myHour=8 AND myMinute<=59))
| stats count as Total_events avg(duration) as Duration_of_events by events
↧