Detect Dying Sourcetypes

This alert is used for looking at a prior dataset of indexes and sourcetypes reporting over time, and then involves pairing to a closer, temporal dataset. Appending the results allows you to view sourcetypes that have stopped reporting, but existed in the prior period.   | tstats count where earliest=-90d latest=-60d index=proxies_na by _time sourcetype […]

Continue Reading →