Ultimate goal is to find out what is the longest period of time without any event in an index within last month ( and to this across all the indexes automatically, without necessity to specify the indexes within any query)
Currently I have two suggestions:
The first one works across all indexes:
| metasearch index=* | transaction maxevents=2 index host | stats max(duration) AS current_max_delay by index, host
The second one works only for one
index (not helpful, placing here just for possible inspiration):
index=INDEX_A | delta time AS AtimeDelta | eval Apossitive_delta = (abs(AtimeDelta)/3600) | stats max(Apossitive_delta) as A_MaxDelta
FIRST question: How to solve a situation when there might be just one event in last month, where I would like to identify not the delta between events ( as there are no other), but between the event and the current time?
SECOND question: There might be many indexes and large quantity of data. Is there any way how to make this more efficient?
Many thanks for any suggestions.
... View more