Hi all,
I have written below metadata search to find the hosts which have reported yesterday, but not reporting in the last 1 hour.
| metadata type=hosts |eval current=now() |eval lastHour=relative_time(current,"-1h") | eval yesterday=relative_time(now(), "-1d") | where ( recentTime>yesterday AND recentTime<lastHour) | convert ctime(current) as Current_Time, ctime(lastHour) as Last_Hour, ctime(recentTime) as Recent | table Current_Time,Last_Hour,Recent, host
This search is returning a list of hosts, but after I dig into these hosts, they seems to be reporting to their respective indexes which means the metadata search is giving me wrong results.
I start breaking up the search and excluded the recentTime<lastHour
from the where clause. Below is the resulting search:
| metadata type=hosts | eval current=now() |eval lastHour=relative_time(current,"-1h") | eval yesterday=relative_time(now(), "-1d") | where recentTime>yesterday | convert ctime(current) as Current_Time, ctime(lastHour) as Last_Hour, ctime(recentTime) as Recent | table Current_Time,Last_Hour,Recent, host
This gives me a list of only 2 hosts, whereas in my environment, hundreds of hosts are reporting.
Not really sure what is happening.
Please help !!
try this for specific indexes.
| metadata index=foo index=bar index=baz type=hosts
You want your search to start with:
| metadata index=* type=hosts
I have huge number of indexes so i think i cannot use the metadata command. Could you let me the other approach about going after license logs to get this information.
i have huge indexes , so cannot afford to use index=*.
How do you expect this to work? The metadata
command reads the metadata stored inside the indexes...
If you only have a handfull of indexes you want to check, you can try this:
| metadata (index=foo OR index=bar OR index=baz) type=hosts
The other approach to base it on your license logs.
This is incorrect:
| metadata (index=foo OR index=bar OR index=baz) type=hosts
For some reason, metadata seems to dislike OR. You can use:
| metadata index=this index=that
It works fine. It does mean that I'm unable to use macros that contain multiple indexes separated by OR with metadata.