Hi Giuseppe,
Thanks for your quick reply. See below my search:
| inputlookup perimeter.csv
| eval SplunkHost=lower(SplunkHost)
| join SplunkHost type=outer
[| metadata my indexexes type=hosts
| rename totalCount as Count, host as SplunkHost, lastTime as "Last Event"
| eval actualhourslag=(now()-'Last Event')/60/60
| eval SplunkHost=lower(SplunkHost)]
| fieldformat "Last Event"=strftime('Last Event', "%c")
| where actualhourslag>HoursLag OR NOT actualhourslag="*"
| stats sum(Count) by SplunkHost
| rename sum(Count) as total
| where total < 50
This is the search I'm using for my dashboard. When I use the timeframe 0-6 hours or 6-12 hours or 12 - 18 hours or 18 - 24 hours or 1 - 5 days, the result is almost the same in some instance and they overlap. I just would like to know if I can have each device in a very specific timeframe. For example, any devices in 0-6 hours cannot be seen in 12-18 hours and cannot be seen in 18-24 hours and so on.
Best,
Louispaul76
... View more