I have a basic search to identify systems that have not checked into a service for X amount of time. There is nothing fancy about the search but I must be missing something simple because when I use the where function to compare two fields I get no results. I am searching a list of hostnames, setting a threshold to compare against, and trying to display only events that are older than the set threshold:
index=main sourcetype="app:agent" hostname IN (host1 host2 host3)
| eval hostname=upper(hostname)
| eval threshold=now()-30
| stats latest(_time) as LastCheckin values(threshold) by computer_name
| where LastCheckin<threshold
| eval LastCheckin=strftime(LastCheckin,"%m-%d-%Y %H:%M:%S")
A couple of things to note:
App checks in every couple minutes, so for testing the search only checks for events older than 30 seconds ago as I know there are events older than that.
Threshold field is included in stats to verify value is in fact evaled correctly
Taking out the where function will display results as expected
I have another search using inputlookup that does work using the same type of format:
| inputlookup hosts.csv
| eval drop_off=now()-1728000
| where latest < drop_off
| stats values(latest) as latest by hostname
| outputlookup hosts_dropoff.csv
Any thoughts as to why I am getting these results? As I know inputlookup works for another case, I could apply it to this search but would rather not add another step to this process.
... View more