The search string I am currently using is the following:
| metadata type=hosts |where recentTime < now() - 86400 | eval lastSeen = strftime(recentTime, "%F %T") | fields + host lastSeen | sort - lastSeen
I would like to be able to use that as a base search but be able to append some more specific filters such as:
host=abc*
index=dns
The first command that came to mind was adding a pipe search at the end, but that doesn't seem to work properly. I know this may be elementary for some of you Splunkers out there, but can anyone offer a quick hand? Much appreciated!
Brian
... View more