I have a query as follows
| inputlookup ABCD | search Forward="Yes" | table Region,IPHost, ip_address | rename Region AS my_region, IPHost AS my_hostname, ip_address AS my_ip
| join type=left my_hostname [|metadata type=hosts index=* | rename host AS my_hostname]
|eval lastTime=if(lastTime>0,lastTime,0)
|eval timeDiff=now()-lastTime
| eval last_seen_in_24_hours=if(timeDiff>86400,"NO","YES")
| eval lastReported=strftime(lastTime,"%F %T")
| table my_region,my_hostname,last_seen_in_24_hours,lastReported
Which displays the results as follows
![alt text][1]
[1]: /storage/temp/213578-dashboard.png
For some reason though the hosts were reporting to splunk (I verified that by picking the hosts from the dashboard and searching with host="abcd" for last 24 hours) all I can see from the dashboard is NO for last_seen_in_24_hours field.
Could anyone let me know where did i made the mistake or help me modifying the query to display the 4 accurate results like YES for all the hosts which were reporting
↧