Looking for assistance with a search -
| metadata type=hosts | rename lastTime as "Last Event"| search host=**** | fieldformat "Last Event"=strftime('Last Event', "%c") | table host "Last Event" | rename host as Host
This search currently provides host and last reported event. I'm hoping to add one more column that essentially gives me a "Host Reporting" or "Host Not Reporting" based on last event time. "If "Last Event" is >10 minutes, show as "Host Not Reporting"
Any help would be appreciated.
General guidelines - 1) eliminate records as early as possible 2) calculations that matter before reformats and renames 3) renames that make the names clumsy to program as LATE as possible.
| metadata type=hosts | search host=*
| eval HostStatus=if(lastTime<relative_time(now(),"-10m"),"Not Reporting","Reporting")
| fieldformat lastTime=strftime(lastTime, "%c")
| rename host as Host, lastTime as "Last Event"
| table Host "Last Event" HostStatus
Final note = %c format is REALLY clumsy to read or to scan down. Try this instead...
| eval "Last Event"=strftime(lastTime, "%Y-%m-%d %H:%M:%S.%3Q").case(relative_time(lastTime,"@d")=relative_time(now(),"@d")," ... (today)",
relative_time(lastTime,"@d")>=relative_time(now(),"-1d@d")," ... (yesterday)",
relative_time(lastTime,"@d")>=relative_time(now(),"-6d@d")," ... (last ".strftime(lastTime, "%A").")",
relative_time(lastTime,"@d")>=relative_time(now(),"-70d@d")," ... (".round((now()-lastTime)/86400/7)." weeks ago)",
true()," ... long ago")
General guidelines - 1) eliminate records as early as possible 2) calculations that matter before reformats and renames 3) renames that make the names clumsy to program as LATE as possible.
| metadata type=hosts | search host=*
| eval HostStatus=if(lastTime<relative_time(now(),"-10m"),"Not Reporting","Reporting")
| fieldformat lastTime=strftime(lastTime, "%c")
| rename host as Host, lastTime as "Last Event"
| table Host "Last Event" HostStatus
Final note = %c format is REALLY clumsy to read or to scan down. Try this instead...
| eval "Last Event"=strftime(lastTime, "%Y-%m-%d %H:%M:%S.%3Q").case(relative_time(lastTime,"@d")=relative_time(now(),"@d")," ... (today)",
relative_time(lastTime,"@d")>=relative_time(now(),"-1d@d")," ... (yesterday)",
relative_time(lastTime,"@d")>=relative_time(now(),"-6d@d")," ... (last ".strftime(lastTime, "%A").")",
relative_time(lastTime,"@d")>=relative_time(now(),"-70d@d")," ... (".round((now()-lastTime)/86400/7)." weeks ago)",
true()," ... long ago")
up vote for detailed answer,
@SMWickman be careful when using the metadata command as its not always accurate.
read this answer for detailed explanation:
https://answers.splunk.com/answers/294791/accuracy-of-metadata-command-in-large-environments.html
Thank you! Appreciate the detailed response!