I am trying to develop a search that can identify missing logs based on average of time between log entries for each specific host. I presently have a search string ( | metadata type=hosts |where recentTime < now() - 60 | eval lastSeen = strftime(recentTime, "%F %T") | fields + host lastSeen ) that identifies missed logs based on amount of time from "now", but would like to calculate an avg time and identify missed logs based on their avg+some % ime from now.
Example: A certain log comes in approximately every 5 minutes. I want to identify that certain log in a list if it is not seen for say 5.75 Minutes (based on 5 (AVG) + .75 (15%). I want to do this for each host. I think I will just need to insert the logic in the area of "now() - 60".
... View more