https://community.splunk.com/t5/Splunk-Search/Search-string-to-filter-filed-not-updated-in-last-24-hours/m-p/295212#M164861 <P>@Gowtham0809, from the query seems like you want to check whether there is any data source which has not data today but was sending data earlier. Instead of running base search on your index with all time search, you should leverage commands like <CODE>metadata</CODE> or <CODE>tstats</CODE> which are specifically meant for such use cases.</P> <P><STRONG>Option 1: Using Metadata command</STRONG></P> <PRE><CODE>| metadata type="sources" index="index" | where lastTime&lt;relative_time(now(),"-1d@d") | fieldformat lastTime=strftime(lastTime,"%c") | table source totalCount lastTime </CODE></PRE> <P><A href="http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Metadata">http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Metadata</A></P> <P><STRONG>Option 2: Using tstats command</STRONG></P> <PRE><CODE>| tstats count as Events earliest(_time) AS EarlistEventTime, latest(_time) AS LatestEventTime WHERE index="index" BY source | where LatestEventTime&lt;relative_time(now(),"-1d@d") | fieldformat LatestEventTime=strftime(LatestEventTime,"%c") | table source Events LatestEventTime </CODE></PRE> <P><A href="https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Tstats#Examples">https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Tstats#Examples</A></P> <P>PS: <CODE>"-1d@d"</CODE> implies one day before, for last 24 hours ago you should use <CODE>"-24h@h"</CODE>.</P> Fri, 24 Nov 2017 08:07:23 GMT niketn 2017-11-24T08:07:23Z https://community.splunk.com/t5/Splunk-Search/Search-string-to-filter-filed-not-updated-in-last-24-hours/m-p/295210#M164859 <P>Hi,</P> <P>I use the below search to filer the source which were not updated on current day(Today)</P> <P>index=index sourcetype="sourcetype" source="source*.csv" | table source, _time | dedup source | where _time &lt; relative_time(now(),"-1d@d).</P> <P>This string was providing the results and not suddenly stops working. No changes were made what so ever.</P> <P>can some one help me with this</P> <P>Thanks</P> Tue, 29 Sep 2020 16:53:02 GMT https://community.splunk.com/t5/Splunk-Search/Search-string-to-filter-filed-not-updated-in-last-24-hours/m-p/295210#M164859 Gowtham0809 2020-09-29T16:53:02Z https://community.splunk.com/t5/Splunk-Search/Search-string-to-filter-filed-not-updated-in-last-24-hours/m-p/295211#M164860 <P>Hi Gowtham, what's the error do you get when you run the query?</P> Fri, 24 Nov 2017 04:22:18 GMT https://community.splunk.com/t5/Splunk-Search/Search-string-to-filter-filed-not-updated-in-last-24-hours/m-p/295211#M164860 MousumiChowdhur 2017-11-24T04:22:18Z https://community.splunk.com/t5/Splunk-Search/Search-string-to-filter-filed-not-updated-in-last-24-hours/m-p/295212#M164861 <P>@Gowtham0809, from the query seems like you want to check whether there is any data source which has not data today but was sending data earlier. Instead of running base search on your index with all time search, you should leverage commands like <CODE>metadata</CODE> or <CODE>tstats</CODE> which are specifically meant for such use cases.</P> <P><STRONG>Option 1: Using Metadata command</STRONG></P> <PRE><CODE>| metadata type="sources" index="index" | where lastTime&lt;relative_time(now(),"-1d@d") | fieldformat lastTime=strftime(lastTime,"%c") | table source totalCount lastTime </CODE></PRE> <P><A href="http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Metadata">http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Metadata</A></P> <P><STRONG>Option 2: Using tstats command</STRONG></P> <PRE><CODE>| tstats count as Events earliest(_time) AS EarlistEventTime, latest(_time) AS LatestEventTime WHERE index="index" BY source | where LatestEventTime&lt;relative_time(now(),"-1d@d") | fieldformat LatestEventTime=strftime(LatestEventTime,"%c") | table source Events LatestEventTime </CODE></PRE> <P><A href="https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Tstats#Examples">https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Tstats#Examples</A></P> <P>PS: <CODE>"-1d@d"</CODE> implies one day before, for last 24 hours ago you should use <CODE>"-24h@h"</CODE>.</P> Fri, 24 Nov 2017 08:07:23 GMT https://community.splunk.com/t5/Splunk-Search/Search-string-to-filter-filed-not-updated-in-last-24-hours/m-p/295212#M164861 niketn 2017-11-24T08:07:23Z https://community.splunk.com/t5/Splunk-Search/Search-string-to-filter-filed-not-updated-in-last-24-hours/m-p/295213#M164862 <P>What @niketnilay said except that <CODE>metadata</CODE> does strange things in regards to the TimePicker (because it has to: it has to judge on a bucket-by-bucket basis and any bucket may have a considerable span of events) so <EM>definitely</EM> use <CODE>tstats</CODE>. Additionally, I would weight <CODE>_indextime</CODE> more than <CODE>_time</CODE> because what you really care about is that events are still being indexed, right? So this:</P> <PRE><CODE>| tstats count max(_indextime) AS _time WHERE index="index" BY source | eval secondsSinceLastIndexed = now() - _time | sort 0 - secondsSinceLastIndexed | lastIndexDistance=tostring(secondsSinceLastIndexed , "duration") </CODE></PRE> Mon, 27 Nov 2017 01:18:39 GMT https://community.splunk.com/t5/Splunk-Search/Search-string-to-filter-filed-not-updated-in-last-24-hours/m-p/295213#M164862 woodcock 2017-11-27T01:18:39Z