I'm trying to use the `metadata` command to find hosts that have recently started sending logs. Basically when firstTime is more recent than 7 days. This is the search I have...
| metadata type=hosts index=* | eval firstday=strftime(firstTime,"%Y-%m-%d") | where firstday>=relative_time(now(),"-7d")
I have tried many variations of this, to no avail. The 'firstday' field shows accurately, but the results are not filtered. Is there something I don't understand about this metadata command? I appreciate the help!
↧
