Hello All,
How can we get a list of sources which did not have any data for last 24 hours in Splunk for a particular index?
When am trying to use metadata, the result is coming from sourcetype, but not from the source. below is my search:
| metadata type=sourcetypes index=myindex | rename totalCount as Count firstTime as "First Event" lastTime as "Last Event" recentTime as "Last Update" | fieldformat Count=tostring(Count, "commas") | fieldformat "First Event"=strftime('First Event', "%c") | fieldformat "Last Event"=strftime('Last Event', "%c") | fieldformat "Last Update"=strftime('Last Update', "%c")
Could you please help us on this?
... View more