Hi all,
I have written below metadata search to find the hosts which have reported yesterday, but not reporting in the last 1 hour.
| metadata type=hosts |eval current=now() |eval lastHour=relative_time(current,"-1h") | eval yesterday=relative_time(now(), "-1d") | where ( recentTime>yesterday AND recentTime<lastHour) | convert ctime(current) as Current_Time, ctime(lastHour) as Last_Hour, ctime(recentTime) as Recent | table Current_Time,Last_Hour,Recent, host
This search is returning a list of hosts, but after I dig into these hosts, they seems to be reporting to their respective indexes which means the metadata search is giving me wrong results.
I start breaking up the search and excluded the recentTime<lastHour from the where clause. Below is the resulting search:
| metadata type=hosts | eval current=now() |eval lastHour=relative_time(current,"-1h") | eval yesterday=relative_time(now(), "-1d") | where recentTime>yesterday | convert ctime(current) as Current_Time, ctime(lastHour) as Last_Hour, ctime(recentTime) as Recent | table Current_Time,Last_Hour,Recent, host
This gives me a list of only 2 hosts, whereas in my environment, hundreds of hosts are reporting.
Not really sure what is happening.
Please help !!
... View more