This alert is used for looking at a prior dataset of indexes and sourcetypes reporting over time, and then involves pairing to a closer, temporal dataset. Appending the results allows you to view sourcetypes that have stopped reporting, but existed in the prior period.
| tstats count where earliest=-90d latest=-60d index=proxies_na by _time sourcetype span=1d | append [ | tstats count where earliest=-30d latest=now index=proxies_na by _time sourcetype span=1d | where count=0 ] | timechart span=1d values(count) AS count by sourcetype | streamstats avg(count) as avgCount by sourcetype
Wouldn’t the metadata command be better for this? It’s much faster imo. The only thing is it breaks things out only by sourcetype or host but not index. However, using a subsearch to add the index in could be done with the metasearch command which is also pretty quick and neither of these commands rely on data models being correct or accelerated.