Archive

What can be a light sanity check for content?

ddrillic
Ultra Champion

Our users would like to run queries, on a regular basis, which would show them that their data keeps flowing in without issues. One user came up with the following -
index=xxxxxx earliest=-1m | stats latest(_time) as latestTime by host sourcetype source | eval latestTime=strftime(latestTime,"%x,%X")

Is it reasonable? I think that tstats is better, right?

Tags (1)
0 Karma
1 Solution

somesoni2
Revered Legend

Tstats much better as it's faster. Since multiple users are going to run this, you need something faster.

| tstats latest(_time) as latestTime WHERE index=xxxxxx earliest=-1m by host sourcetype source | eval latestTime=strftime(latestTime,"%x,%X")

View solution in original post

0 Karma

somesoni2
Revered Legend

Tstats much better as it's faster. Since multiple users are going to run this, you need something faster.

| tstats latest(_time) as latestTime WHERE index=xxxxxx earliest=-1m by host sourcetype source | eval latestTime=strftime(latestTime,"%x,%X")

View solution in original post

0 Karma

ddrillic
Ultra Champion

Perfect!!!

0 Karma