there are many hosts in an indexer. How do I check if the log is missing?
If a host does not have a log Within an hour, I think it's a log loss
If a host log is lost, I need to find it and remind me.
How does the SPL statement write?
The following search will alert you if there are any hosts that haven't sent any data for more than one hour (3600 seconds)
compare last event's time to now
|metadata type=hosts | eval since=now()-lastTime | search since>3600 |...
# compare indexer's time when last event came to now
|metadata type=hosts | eval since=now()-recentTime| search since>3600 |...