This alert is used for looking at a prior dataset of indexes and sourcetypes reporting over time, and then involves pairing to a closer, temporal dataset. Appending the results allows you to view sourcetypes that have stopped reporting, but existed in the prior period.
|
1 2 3 4 5 |
| tstats count where earliest=-90d latest=-60d index=proxies_na by _time sourcetype span=1d | append [ | tstats count where earliest=-30d latest=now index=proxies_na by _time sourcetype span=1d | where count=0 ] | timechart span=1d values(count) AS count by sourcetype | streamstats avg(count) as avgCount by sourcetype |
