My whole search is:
| `host_eventcount(30,2)` | search is_expected=true | `ctime(lastTime)` | fields + host,lastTime,dayDiff |rename host AS "Hostname", lastTime AS "Last Time Seen" , dayDiff AS "Days Not Seen" | eval c_time=strftime(log_time,"%m/%d/%y %H:%M:%S")
Anyway to make this more efficient?
