Hi @scelikok,   Thanks for the query. This query is not giving any info about the index. Can index field be added as well while displaying the results. Also,  there are certain source log files which are created daily based on date. So, how will that be taken into account?

Hi @richa , probably, source isn't the best solution to check ingestion because it usually change, for this reason I used sourcetype, otherwise, you could use index: | tstats count latest(_time) AS _time WHERE index IN (index1, index2, index3, index4) earliest=-30d@d BY index | eval period=if(_time>now()-86400,"Last 24 hours", "Previous") | stats dc(period) AS period_count values(period) AS period BY index | where period_count=1 AND period="Previous" | table index _time Ciao. Giuseppe

Hi @gcusello, Thanks for the query. But I would like to have it on sources and not source type as certain source types can have few log sources configured in it. Also, one more thing i would like to add, there are few log files which are created daily based on date. And if we configure the alert on log sources then those log sources will come as alert in the search query for not receiving logs as daily new files are generated. so, how to cater to that scenario?

Hello, Thank you for the response. This is considered as a vulnerability and we can't unrestrict it. At the moment, all our dashboards made in html have jquery version 2.1.0. If there was a way to set the dashboard version to 1.1 like we did to other simplexml dashbords that would be great. Thanks

Hi @richa, having a lookup will give you more conterol on the check process, but anyway, if you want to check the sourcetypes in four indexes that didn't send logs in the last 24 hours but that sent in the previous 30 days, you can run the following search: | tstats count latest(_time) AS _time values(index) AS index WHERE index IN (index1, index2, index3, index4) earliest=-30d@d BY sourcetype | eval period=if(_time>now()-86400,"Last 24 hours", "Previous") | stats dc(period) AS period_count values(period) AS period BY sourcetype | where period_count=1 AND period="Previous" | table sourcetype index _time Ciao. Giuseppe

Hi @richa, You can use the below query by updating your 4 indexes, it will check all sources that send data in 48 hours but stopped more than 24 hours. | tstats latest(_indextime) as latest where index IN (index1,index2,index3,index4) earliest=-48h by source | eval delay = now() -latest | where delay > 86400 | eval delay=tostring(delay, "duration") | fields - latest

Below is the query I tried sourcetype=“my_source” [search sourcetype="my_source" "failed request, request id=" | rex “failed request, request id=(?<request_id>[\w-]+)" | request_id | fields request_id | rename request_id as search] | table user_id user_name Here I got only one use id multiple times but when I do normal query like below sourcetype=“my_source” "failed request, request id=" | rex “failed request, request id=(?<request_id>[\w-]+)" | table request_id Here I see more than 250 events

Again, you aren't really giving me any useful information. What is your complete search which is not doing as you expect? How many of each request id are you getting? How many of each request id were you expecting?

How do you know you are getting fewer results (than expected)? Which events are being missed? Is there a common theme to the missing events? Does it happen all the time or only with certain timeframes? What else have you done to investigate the issue?