I have a search created that alerts when a user has used remote desktop to log into a domain controller. It works splendidly.
I am now enhancing the search to first check to see if there is an entry for work to be done on that domain controller within our change management logs. If there is an entry, then it won't alert.
Our change management logs contain the host that is going to be worked on, and the expected completion date for the work to be done.
The issue that I am having is that I would like to have the search setup so that it can have a time modifier, of say two weeks, at the earliest and the latest to match the "expected completion date" within the change management logs.
So... example would be something like:
index=change_mangement sourcetype=change_request earliest=-14d@d latest<=change_expected_completion_date approval-approved active=true... etc, etc, etc
Is there any way to use a date/time in conjunction with the "latest" time modifier? If not, is there any suggestion on how to make sure that I am only searching a specific time-chunk based on what is in the logs?
↧