SPL
Identifying Hosts not sending data for more than 6 hours
Description
5 0
| tstats latest(_time) as latest where index!="*_" earliest=-9h by host index sourcetype | eval recent = if(latest > relative_time(now(),"-360m"),"1","0"), LastReceiptTime = strftime(latest,"%c") | where recent=0 | sort LastReceiptTime | eval age=now()-latest | eval age=round((age/60/60),1) | eval age=age."hour" | fields - recent latest
Comments
0 total
Be the first to comment on this SPL.
Leave a comment
You must log in to post a comment.