Hi...here is my search:
sourcetype="isc:dhcp" earliest=-10m@s latest=now | stats count as dhcp_count by _time | where dhcp_count<5000
I'll usually get returned stats:
4800
10,000
11,000
I have this running on 5 minute cron schedule...don't see results. Perhaps I shall try real-time every 5 minutes...any thoughts appreciated
↧