Actually, there are several options avalable to you, depending on what you want exactly.
1) If you just want to se if those logs actually exists just do this : a) On the search page, just change the timeframe with the absolute settings, and enter the corresponding timeframe, here's an example, which will show you every logs between yesterday night and in the morning today : <https://lh3.googleusercontent.com/-ThYNk4Z2bmY/WCAocNd2TPI/AAAAAAAAAqw/AlUA0xKBPfsqitWHfJAJTBafreWaLT2GwCLcB/s1600/1.JPG> b) Or you can just search on a one day timeframe, and look at the histogram, which will show you exactly what you want, while not needing to adapt the above settings every time. You can also put this graph in a dashboard for easy acces/view. <https://lh3.googleusercontent.com/-S48teFP7onQ/WCAtega0D-I/AAAAAAAAArA/58bYnhIrQaES0iSnfzGy_HERB_PFjc1bACLcB/s1600/2.JPG> 2) If you want to keep track of and see all the logs that are in the wrong timeframe (not between 6am and 22pm), you will have to create a stream with the following rules for example : - source:yourwindowsserver ("source matches exactly yourwindowsserver") - timestamp must match regular expression : *[0-9]{4}-[0-9]{2}-[0-9]{2}T[00]|[22-23]:[0-9]{2}:[0-9]+* - timestamp must match regular expression : *[0-9]{4}-[0-9]{2}-[0-9]{2}T[00]|[00-06]:[0-9]{2}:[0-9]+* Not sure about the regexes, but you get the idea. All logs coming from your windows server will belong to this stream, but only those who have a timestamp between 22pm to 23:59 pm, and between 0:00 to 6am. -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/48857389-3142-45bf-b4e9-78a6969f9f3d%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
