I have many hosts that send logs that end up in one index and each of them has three or two sources.
Sometimes data comes from a particular host, but not from all sources for this host.
Is it possible to track a source on a particular host that stopped sending data?
This kind of requirements is now fully addressed by the concept of Elastic sources in TracKme starting version 1.2.x
Greetings ,
This query will show you all index, sourcetype, and host combinations (in the _internal index only in this case) that reported data between 24 and 48 hours ago but not in the past 24 hours. Feel free to modify it to your liking.
| tstats count where index=_internal earliest=-48h latest=-24h by index, sourcetype, host
| join type=left max=0 [ | tstats count as new_count where index=_internal earliest=-24h latest=now by index, sourcetype, host ]
| where isnull(new_count)
Cheers,
Jacob