| metadata index=m type=sources
| eval ageInDays = round((now()-lastTime)/86400)
| where ageInDays > 0.99 AND ageInDays<170.00
| convert ctime(lastTime)
| convert ctime(firstTime)
| convert timeformat="%Y %D" mktime(ageInDays)
| rename ageInDays as Days
| sort by Days

thanks alot

So that gives you a list of sources in that index, which have had events ingested in the past 1-170 days. I assume source in this case relates to what you called "log/file" in your question?

What exactly do you mean with "accessed"? Because that metadata search will give you when latest events were received from a certain source (log/file). "Access" sounds like you want to know when someone last looked at it?

Also, what exactly is your goal? In what sense do you want to whitelist certain sources?

Sorry Frank,

Yes i want to know when a file is uploaded too like a log. I am using a panel to show me if any logs have stopped logging for some reason.

So want a query to find out if for example a file/log logs once but then never logs again thats fine. i want to whitelist those. So some sort of counter i suppose. If a file doesnt log and it had been logging then show the amount of days it hasnt logged.

Right, so a file that was ingested once, but not again afterwards can be ignored, you want to list sources that have been ingesting for a while, but then suddenly stopped receiving new logs?

Perhaps you could look at comparing last time and first time? If both are on the same day: ignore, otherwise include the item in the results and show the days since lasttime (as you already do)?

Yes that sounds good, if it logs on the same day and doesn't log again then we don't care. If it logs everyday for 7 days then suddenly stops count the amount of days it has stopped from.

Can you assist with the query? thanks.