That was really close. In this format, it was returning successful backups older than the 'epoch1datago'. It gave me the jumping off point I needed. Here's what I changed it to:
eventtype=msexchange-database-stats LastFullBackup |
stats latest(LastFullBackup) as LastFullBackup,latest(LastIncrementalBackup) as LastIncrementalBackup by Database |
eval epoch_last_full_backup=strptime(LastFullBackup, "%m/%d/%Y %H:%M:%S") |
eval epoch1dayago=relative_time(now(), "-1d@d" ) |
where epoch1dayago>=epoch_last_full_backup |
rename host as "Mailbox Store",LastFullBackup as "Last Full",LastIncrementalBackup as "Last Incremental"
... View more