stoomart, your script appears to be exactly what I need, when I run the script in a RHEL 9 box it immediately transitions to the fsck command with a single bucket option, then displays an error message "path is not extant".  Your thoughts?  Also please clarify where you show "{index-name}", are you using the brackets to indicate placeholders or are they to be used in the thawed bucket path and at the end?   Thank you in advance for your help!   ... View more

The trick is to use "case" eval function:   count(eval(action="allowed")) as allowed count(eval(action="blocked" OR action="dropped")) as blocked values(eval(case(action="allowed", count))) as allowed values(eval(case(action="blocked" OR action="dropped", count))) as blocked   ... View more

Indeed, props.conf, transforms.conf, and inputs.conf (from the Docs) on the UF for the win! The full TA on SH & IDX. ... View more

I've found the stat functions 'earliest' and 'latest' work best for time-dependent field reporting: ... | stats latest(_time) as _time, latest(X) ... View more

Another possible approach that doesn't require a subsearch. Use if to set a variable to 1 if the time is within the last day and 0 if it is older. Sum the variable to get a count of events that happened in the last 24 hours and count all the events. If all of the events are new (AllCount=NewCount), then the event has only happened in the last 24 hours. Example: table _time host Code | eval cutOffTime=relative_time(now(),"-24h"), New=if (_time>cutOffTime,1,0) | stats sum(New) as NewCount count as AllCount by host Code | where AllCount = NewCount ... View more