|noop |append [ |metadata type=hosts | table *] | append [|metadata type=sourcetypes | table *] | eval t = now() – lastTime | where t > 86400 | eval name = coalesce(host,sourcetype)| table name t lastTime totalCount type |rename t as “Seconds since Event” | convert ctime(lastTime) timeformat=”%m/%d/%Y %H:%M:%S %z”
