index= earliest=-2d@d | stats count by host, _time | join host [search index= earliest=-2d@d | stats latest(_time) as latesttime by host | table host, latesttime] | eval lastTwoHrCount = if(_time<=now() AND _time>=now()-7200,count,0) | eval lastHrCountFrmLatestEvent = if(_time<=now() AND _time>=now()-7200,count,0) | stats sum(lastTwoHrCount) as lastTwoHrCount, max(lastHrCountFrmLatestEvent) as lastHrCountFrmLatestEvent by host | eval status = if(lastTwoHrCount==0 AND lastHrCountFrmLatestEvent<5000 ,"DOWN","UP")
| table host,lastTwoHrCount,lastHrCountFrmLatestEvent,status
| rename host as Host, lastTwoHrCount as "Last 2hrs Count", lastHrCountFrmLatestEvent as "Last Hour Count from LatestEvent", status as Status | fillnull
... View more