I have a custom log file format that i am importing via a windows forwarder. In it there are a number of fields related to configuration items and at the bottom is a summation of all the non-compliant items
There could be multiple files for the same hostname (havent changed it to ignore non-new files)
I would like to have an output that shows the latest file by hostname and the value for the field totalFailed. There will be multiple files from different hostnames and i would like the most recent file from each host to show the line of total failed items.
hostA | file | totalFailed
As a bonus point, how would i colorize (red) any values of totalFailed if its non-zero?
I would eventually like to extend this to a dashboard that shows a single value image of all non-compliant hosts (red>0) and all compliant hosts (green=0). I would imagine i need this to be a parameterized search to return a single value and the hostname to label it. But first things first, I tried using
| stats max(file) by hostname
but that gets me a count of the files for the latest hostname.