SPL
Timestamps from the future.
Description
Shows all hosts that are sending events with timestamps greater than 5 mins (300 seconds) from the current time.
2 0
| metadata type=hosts | where lastTime>now()+300 | eval mins_in_future=(lastTime-now())/60 | eval years_in_future=mins_in_future/60/24/365 | fieldformat lastTime=strftime(lastTime,"%Y-%m-%d %H:%M:%S %Z") | table lastTime, host, mins_in_future, years_in_future | sort - mins_in_future
Comments
0 total
Be the first to comment on this SPL.
Leave a comment
You must log in to post a comment.