anyone have an idea on how to write up a search that will provide details on which logsource stopped reporting for the last 24 hours?
For hosts, like this (with very large timepicker value):
| eval age = now() - lastTime
| search age > 86400
|metadata type=sources | eval age = now() - lastTime | search age > 86400
thank you but do you know if there is a way to separate out the devices that are not reporting? meaning, if its a windows server i want to the actual server that is not reporting. hope this makes sense.