I have this search below, which is incredibly slow because it has to scan the entire index and run the eval on millions of records. There is no need however; I only need the most recent event per source, host pair. The append and join is purely to make sure I can easily spot cases where there are no events. Time picker doesn't really work as some sources have a much lower frequency than others, I'd really like to just select the most recent event for each source and host.
index="blah" host=asdf-* | eval delta=now()-_time |
append [| metadata type=hosts | search host=asdf-* | eval join=1 |
join max=0 join [| metadata type=sources | search source=asdf*.log| eval join=1] | fields + host,source] |
stats min(delta) as "seconds_since_last_event" by host source | where seconds_since_last_event>1800 OR isnull(seconds_since_last_event)
... View more