I'm trying to sort an hour search with:
eval mydiff=tostring(info_search_time-orig_time, "duration") | table orig_host,lastTime,mydiff | rename orig_host AS "Hostname", lastTime AS "Last Time Seen", mydiff AS "Days Not Seen"
How do I sort the count to only show hosts that haven't been seen over 2 hours?
Thanks
Something like this should get you started.
eval mydiff=tostring(info_search_time-orig_time, "duration") | where lastTime < relative_time(now(),"-2h") | table orig_host,lastTime,mydiff | rename orig_host AS "Hostname", lastTime AS "Last Time Seen", mydiff AS "Days Not Seen"