Events in the last 24 hours

Look for a solution to limit number of positives for an alert to 24 hours. Right now I have an alert for site to site VPNs down but it is alerting me about disconnects from greater than 5 minutes. As you can image that would return all vpn disconnects for as long as the machine has been up. So I want to limit it to the last 24 hours.

Is that possible? Below is the alert rule:
syslog.timestamp >= “macros.past_5m” AND syslog.msg REGEXP “ASA-4-113019” AND syslog.msg REGEXP “LAN-to-LAN” AND syslog.msg NOT REGEXP “User Requested” AND syslog.msg NOT REGEXP “Idle Timeout”


Could I limit the results in the alert template?

If you want past_24h you could create a custom macro , e.g " past_24h ": “DATE_SUB(NOW(),INTERVAL 1 DAY)”
or, perhaps easier to specify it in the alert directly like this Realtime syslog alerting

You might need to fix the timestamp bug Alert rule: syslog.timestamp check bug? and I think you can just use contains, instead of Regex

I will review the possible solutions and let you know what worked.

Thank you so much.

Will this work for a macro. I want the current date.

$config[‘alert’][‘macros’][‘rule’][‘date’] = CURDATE();

Not sure you could also check out [solved - kindof] - Notifications in specific time periods

Thank you, Chas.