Re: Trying to find host that send logs over the la...

johnlzy0408 · ‎02-03-2022

Hi, i am trying to search for host that are sending logs over the last 7 days. Anything more than 7 days i will like to exlcude out from my results.

Right now i am using this query and searching over the last 7 days.

===================================================

| metadata type=hosts index=*
| rename totalCount as Count firstTime as "First Event" lastTime as "Last Event" recentTime as "Last Update" host as "Hostname"
| table Hostname Count "First Event" "Last Event" "Last Update"
| fieldformat Count=tostring(Count, "commas")
| fieldformat "First Event"=strftime('First Event', "%d-%m-%Y %k:%M")
| fieldformat "Last Event"=strftime('Last Event', "%d-%m-%Y %k:%M")
| fieldformat "Last Update"=strftime('Last Update', "%d-%m-%Y %k:%M")
| sort by "Last Update"
| reverse

==================================================

This query give me what i wanted but towards the end of the results, those last updated time include those hosts which last send over few months ago.

Anybody can enlighten me what i should do for results only lasting last 7 days till 28 Jab 2022?

PickleRick · ‎02-03-2022

| tstats earliest(_time) latest(_time) count where index=* earliest=-7d by host

Trying to find host that send logs over the last 7 days

search job inspector

Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users

Everything Community at .conf24!

Index This | I’m short for "configuration file.” What am I?