How to set cardinality rules, 22:00-8:00, max_cardinality:20

Question

How to set cardinality rules, 22:00-8:00, max_cardinality:20

Pa55w0rd opened this issue 3 years ago · 0 comments

name: test
type: cardinality
index: elk_*
cardinality_field: testid
max_cardinality: 20
ignore_null: true   
query_key: username
timeframe:
  minutes: 60
filter:
- query:
    query_string:
      query: "event_type: test"

how to set timeframe