What I am trying to do is currently search for Computers that were last seen 10 days or more ago. Currently right now I have the following search syntax:
ComputerName=* AgentVersion=* | dedup ComputerName| table timestamp ComputerName, AgentVersion.
Do I need an eval and then last seen time? If so how would I do that?
Thank you,
Jack McAloon
What you have done should work if you change timestamp
to _time
:
ComputerName=* AgentVersion=* | dedup ComputerName | table _time ComputerName AgentVersion
But this is more efficient:
| metadata type=hosts | rename lastTime AS _time | fields _time host
But it does not give you the other details that you need.
BTW, you should ALWAYS specify index="SomeIndexHere" sourcetype="SomeSourcetypeHere"
in your searches.