I have a situation where in the span of 10 mins there could be a possibility that we didn't get any data from one of the sourcetype for one interval but started getting data for next interval, by this way I am loosing data in summary index. Any suggestion would be helpful.
Here's a part of my query:
| metadata type=sources index=abc
| search source=random
| eval earliest=lastTime - 300
| eval latest=now()
| fields earliest latest
So this random source is collecting data from all the sourcetypes.
... View more