I'm trying to create something that displays long term outages: any index that hasn't had traffic in the last hour. I've made heartbeat alerts that notify when outages occur, but they're limited to an hour to save resources. After that hour, they drop off the face of the earth and aren't accounted for - this is okay for alerts, but not for a dashboard, where persistence is the goal. I'm trying to create a search that returns the names of any index that's had 0 logs in the last hour. I have this so far: | tstats count where [| inputlookup monitoringSources.csv | fields index | format] earliest=-1h latest=now() by index | where count=0 However, I know this doesn't work, as I have a dummy index name in that .csv file that doesn't exist. If I'm not mistaken, it should be returning the dummy index with a count of 0 (it does not). How could I do this without inflating the search time range past an hour? ... View more

Hello! Rather than manually specifying the indexes I want to perform this heartbeat query on, I was wondering if there was a way to input a .csv lookup instead. | tstats latest(_time) as latest where index="index1" OR index="index2" earliest=-24h by index | eval recent = if(latest > relative_time(now(),"-1m"),1,0), realLatest = strftime(latest,"%c") | where recent=0 | fields- recent, latest | rename realLatest as "Last Event Timestamp" The .csv would just contain a bunch of index names that we'd want to monitor, but so far I haven't been able to get around the fact that tstats must come first, and that the index argument does not accept complex inputs. Thanks! ... View more