I'm trying to create a query that can filter if a heartbeat has not occurred. Right now I have two separate queries I need to find a way to combine into one:
Query 1:
index=foo source="bar.log" sourcetype="baz" Device.statusReport earliest=-10d latest=-30m
| stats values(deviceId) as SeenIds
This gives me Ids of devices I'm expecting to see
Query 2:
index=foo source="bar.log" sourcetype="baz" Device.statusReport earliest=-30m
| stats values(deviceId) as LiveIds
This gives me Ids of devices that have sent a successful heartbeat in the last 30 minutes. The ideal way I would combine these is to filter out LiveIds from SeenIds, so I could get a list of devices that are potentially in trouble. How can I do so?
... View more