This is the search that generates the alert if I don't see anything in the last 5 minutes:
| metadata type=hosts index=Exchange | convert ctime(RecentTime) as recent_Time | where lastTime < (now() - 300) | convert timeformat="%d/%b/%Y %H:%M:%S" ctime(recentTime) | convert timeformat="%d/%b/%Y %H:%M:%S" ctime(lastTime) | convert timeformat="%d/%b/%Y %H:%M:%S" ctime(firstTime)
Thanks
... View more
Thanks for your answers. I am not at work at the moment... so can't get the exact search. But it was based on one of the examples for the metadata command. @Somesoni2, can you give an example of the summery index data option? Say I am using only one index..
I will also look at the forwarder monitoring option when I get in to work....thanks.
... View more