Hi @TTAL , to have a status dashboard, you need at first a list of the systems to monitor. You can put this list in a lookup (called e.g. perimeter.csv) containing at least one field (host). Then ...
See more...
Hi @TTAL , to have a status dashboard, you need at first a list of the systems to monitor. You can put this list in a lookup (called e.g. perimeter.csv) containing at least one field (host). Then you can run a search like the following: | tstats count WHERE index=* BY host
| append [ | inputlookup perimeter.csv | eval count=0 | fields host count ]
| stats sum(count) AS total BY host
| eval status=if(total=0,"Missing","Present")
| table host status then you could also consider the case that you have some host not present in the lookup, in this case, you have to use a little more complicated search: | tstats count WHERE index=* BY host
| eval tyte="index"
| append [ | inputlookup perimeter.csv | eval count=0, type="lookup" | fields host count type ]
| stats
dc(type) AS type_count
values(type) AS type
sum(count) AS total BY host
| eval status=case(total=0,"Missing",type_count=1 AND type="index","new host",true(),"Present")
| table host status At least , if you don't want to manage the list of hosts to monitor, you can use a different search to find the hosts that sent logs in the last 7 days but that didn't send logs in tha last hour (obviuously you can change these parameters: | tstats count latest(_time) AS _time WHERE index=* latest=-30d@d BY host
| eval status=if(_time<now()-3600,"Missing","Present")
| table host status I don't like this last solution because, even if requires more time to manage but it gives you less control than the others. Ciao. Giuseppe