Thanks, the hard part is locating what is "custom". Do you know of a query that might return a list of "custom" data inputs? Or, a way to list "default" data inputs and then use that as a list to determine what is "custom"...thanks again for your help! ... View more

This is what i ended up doing. (obviously, you will have to create your own lookup like the one below this paragraph) And you may or may not be referencing a host and sourcetype blacklist like mine.....if not, just remove those lines...As you can see I'm filtering on percent changes, which is a threshold you can change or remove the where command altogether..I'm still working on the math, but for the most part i think its right. sourcetype interval blah 300 blah1 86400 | tstats latest(_indextime) as Latest where index=* by host sourcetype index | remove_blacklisted_servers() | search NOT [ inputlookup sourcetype_blacklist.csv | table sourcetype] | lookup sourcetype_interval.csv sourcetype OUTPUT interval as intervals | eval intervals=round(intervals/60/60,2) | eval intervals=coalesce(intervals,0) | eval current=now() | eval Minimum_Age=round(((current-Latest)/60)/60,2) | eval perc_change=((Minimum_Age-intervals)/Minimum_Age*100) | where perc_change > 90 | rangemap field=Minimum_Age default=Critical Normal=0-0.5 Elevated=0.5-2 Warning=2-3 | eval stIDX=tostring(index) + " -- " + tostring(sourcetype) | eval stINT=tostring(sourcetype) + " -- " + tostring(intervals) | eval stLast=tostring(sourcetype) + " -- " + tostring(Minimum_Age) | eval pcChange=tostring(sourcetype) + " -- " + tostring(perc_change) | stats values(stIDX) as Index--Sourcetype list(Latest) as "Latest Event" list(Minimum_Age) as Minimum_Age list(range) as Threshold list(stINT) as Sourcetype--Interval list(stLast) as Sourcetype--HoursSinceLast list(pcChange) as Sourcetype--PercChange by host | convert ctime("Latest Event") timeformat="%Y/%m/%d %H:%M" | eventstats avg(Minimum_Age) as average by host | eval average=round(average,2) | rename Minimum_Age as "Hours Since Last Seen" average as "Avg Hours Since Last Seen" lintervals as ST_Interval | sort "Latest Event" | fields - "Avg Hours Since Last Seen" | table host "Latest Event" Threshold Sourcetype--Interval Sourcetype--HoursSinceLast Sourcetype--PercChange ... View more

Thanks for your help. played around with what you suggested and went with the two versions posted below. Will accept your answer..thanks again! ... View more

****ANSWER UPDATE**** I ended up with two versions: Both listed below *** The first is a multi-vlaue comparison of sourcetype interval vs time last seen--with a percentage of change column *** | tstats latest(_indextime) as Latest where index=* by host sourcetype index | `remove_blacklisted_servers()` | search NOT [ inputlookup sourcetype_blacklist.csv | table sourcetype] | lookup sourcetype_interval.csv sourcetype OUTPUT interval as intervals | eval intervals=round(intervals/60/60,2) | eval intervals=coalesce(intervals,0) | eval current=now() | eval Minimum_Age=round(((current-Latest)/60)/60,2) | eval perc_change=((Minimum_Age-intervals)/Minimum_Age*100) | rangemap field=Minimum_Age default=Critical Normal=0-0.5 Elevated=0.5-2 Warning=2-3 | eval stIDX=tostring(index) + " -- " + tostring(sourcetype) | eval stINT=tostring(sourcetype) + " -- " + tostring(intervals) | eval stLast=tostring(sourcetype) + " -- " + tostring(Minimum_Age) | eval pcChange=tostring(sourcetype) + " -- " + tostring(perc_change) | stats values(stIDX) as Index--Sourcetype list(Latest) as "Latest Event" list(Minimum_Age) as Minimum_Age list(range) as Threshold list(stINT) as Sourcetype--Interval list(stLast) as Sourcetype--HoursSinceLast list(pcChange) as Sourcetype--PercChange by host | convert ctime("Latest Event") timeformat="%Y/%m/%d %H:%M" | eventstats avg(Minimum_Age) as average by host | eval average=round(average,2) | rename Minimum_Age as "Hours Since Last Seen" average as "Avg Hours Since Last Seen" lintervals as ST_Interval | sort "Latest Event" | fields - "Avg Hours Since Last Seen" | table host "Latest Event" Threshold Sourcetype--Interval Sourcetype--HoursSinceLast Sourcetype--PercChange The second uses a single value table (makes it easier to compare lastSeen > interval)--also, has a field for percentage of change to filter on | tstats latest(_indextime) as Latest where index=* by host sourcetype index | `remove_blacklisted_servers()` | search NOT [ inputlookup sourcetype_blacklist.csv | table sourcetype] | lookup sourcetype_interval.csv sourcetype OUTPUT interval | eval interval=round(interval/60/60,2) | eval current=now() | eval Minimum_Age=round(((current-Latest)/60)/60,2) | rangemap field=Minimum_Age default=Critical Normal=0-0.5 Elevated=0.5-2 Warning=2-3 | eval stIDX=tostring(index) + " -- " + tostring(sourcetype) | stats values(stIDX) as Index--Sourcetype list(Latest) as "Latest Event" list(Minimum_Age) as Minimum_Age list(range) as Threshold values(interval) as interval by host sourcetype | convert ctime("Latest Event") timeformat="%Y/%m/%d %H:%M" | eventstats avg(Minimum_Age) as average by host | eval average=round(average,2) | where Minimum_Age > interval | eval threshold_filter=mvfilter(NOT match(Threshold,"Normal") AND NOT match(Threshold,"Warning") AND NOT match(Threshold,"Elevated")) | rename Minimum_Age as hours_since average as "Avg Hours Since Last Seen" interval as ST_Interval | where threshold_filter = "Critical" | sort - hours_since | fields - "Avg Hours Since Last Seen" | eval perc_change=((hours_since-ST_Interval)/hours_since*100) | where perc_change > 90 | table host Index--Sourcetype "Latest Event" hours_since Threshold ST_Interval perc_change ... View more

Ok soooo. I'm pretty sure its because im doing a stats list(interval) by host...Thus, its just simply listing the intervals ...Whereas I should be doing a stats values(interval) by sourcetype...however, I'm not sure how to add that in?. Again, thanks for your help ... View more

You are a cool dude. Thanks for the feedback. Perhaps it is an issue of multiple intervals, or permissions related. I'll check it out. thanks! ... View more

Thanks aberkow! I've implemented some changes and I am now getting an 'interval' column with values...However, the values dont seem to line up with their appropriate corresponding sourcetype. Not sure why. Any ideas? | tstats latest(_indextime) as Latest where index=* by host sourcetype index | `remove_blacklisted_servers()` | search NOT [inputlookup sourcetype_blacklist.csv | table sourcetype] | lookup sourcetype_interval.csv sourcetype OUTPUT interval as intervals | eval intervals=round(intervals/60/60,2) | eval current=now() | eval Minimum_Age=round(((current-Latest)/60)/60,2) | rangemap field=Minimum_Age default=Critical Normal=0-0.5 Elevated=0.5-2 Warning=2-3 | eval stIDX=tostring(index) + " -- " + tostring(sourcetype) | stats values(stIDX) as Index--Sourcetype list(Latest) as "Latest Event" list(Minimum_Age) as Minimum_Age list(range) as Threshold list(intervals) as lintervals by host | convert ctime("Latest Event") timeformat="%Y/%m/%d %H:%M" | eventstats avg(Minimum_Age) as average by host | eval average=round(average,2) | rename Minimum_Age as "Hours Since Last Seen" average as "Avg Hours Since Last Seen" lintervals as ST_Interval | fields - "Avg Hours Since Last Seen" ... View more