Thanks. I wrote this query: | tstats latest(_time) as latest where index=* earliest=-24h by host | eval recent = if(latest > relative_time(now(),"-5m"),1,0), realLatest = strftime(latest,"%c") | where recent=0 Question: Do you think this query will answer my original question of: Writing a query that will be used to create a dashboard tracking 1 or 2 log feeds that would be colored based on some threshhold (last seen 24 hours red, last seen 10 mins green) ? Please add to the query if there is anything missing. I added the lines for colors in the XML edit for the dashboard but it is giving me validation error message. Your help would be appreciated.
... View more