SPL
List of hosts and sourcetypes not sending data in last 24 Hours
Description
3 10
|noop |append [ |metadata type=hosts | table *] | append [|metadata type=sourcetypes | table *] | eval t = now() - lastTime | where t > 86400 | eval name = coalesce(host,sourcetype)| table name t lastTime totalCount type |rename t as "Seconds since Event" | convert ctime(lastTime) timeformat="%m/%d/%Y %H:%M:%S %z"
Comments
1 total
Hi \r\n\r\nThe search is not working.\r\n\r\n\"|noop\" does not exist and therefore I get the following error:\r\n\r\n\"Error in 'append' command: The 'append' command cannot be the first command in a search.\"
Leave a comment
You must log in to post a comment.