| tstats latest(_time) as latest where index!=”*_” earliest=-9h by host index sourcetype | eval recent = if(latest > relative_time(now(),”-360m”),”1″,”0″), LastReceiptTime = strftime(latest,”%c”) | where recent=0 | sort LastReceiptTime | eval age=now()-latest | eval age=round((age/60/60),1) | eval age=age.”hour” | fields – recent latest
