Identifying Hosts not sending data for more than 6 hours

_internal
vr2312
You already voted!

| tstats latest(_time) as latest where index!="*_" earliest=-9h by host index sourcetype
| eval recent = if(latest > relative_time(now(),"-360m"),"1","0"), LastReceiptTime = strftime(latest,"%c")
| where recent=0
| sort LastReceiptTime
| eval age=now()-latest
| eval age=round((age/60/60),1)
| eval age=age."hour"
| fields - recent latest

Share This:

Tagged: forwarder logs splunk data missing

Leave A Comment? Click here to cancel reply.

Newest | Active

banshee

Active 9 hours, 22 minutes ago
Яромир

Active 15 hours, 5 minutes ago
Борис

Active 1 day, 3 hours ago
Sanjai

Active 6 days, 18 hours ago
bewafaha

Active 1 week, 2 days ago