Hi @LuísMSB, in the Community, you can find thousands of answers to this question! Anyway, you have two choices: create a lookup containing the perimeter to monitor, checks if an host sent logs ...
See more...
Hi @LuísMSB, in the Community, you can find thousands of answers to this question! Anyway, you have two choices: create a lookup containing the perimeter to monitor, checks if an host sent logs in the last 30 days and didn't send in the last hour in the first case, you have to create a lookup called perimeter.csv and containing at least one column (host), then you can run a search like the following | tstats
count
WHERE index=*
BY host
| append [ | inputlookup perimeter.csv | eval count=0 | fields host count ]
| stats
sum(count) AS total
BY host
| where total=0 if instead you don't want to manage a lookup, you can use this search | tstats
latest(_time) AS _time
count
WHERE index=* earliest=-30d@d latest=now
BY host
| eval period=if(_time<now()-3600,"previous","latest")
| stats
dc(period) AS period_count
values(period) AS period
BY host
| where period_count=1 AND period="previous" I prefer first solution because gives you more control. Ciao. Giuseppe