Hello,
when I try to create a rule from the collection -Es:(Syslog, Authentication failure on Device) syslog.timestamp >= macros.past_5m && syslog.msg ~ “@authentication failure@”-
I note that there is a problem about the check of the timestamp; I notice that in the mysql query the system add “” to macros.past_5m and maybe sql query is wrong.
The same result with any new rule that I create with a syslog.timestamp check.
Thanks