Hello,
I have sourcetype list .csv files and we need to monitor if the event count from sourcetypes goes to zero or not seen last 24 hours.
This is what im using but any suggestion will be much appreciated.
|inputlookup sourcetype.csv
| eval recentTime = 0
| join type=left sourcetype [ metadata type=sourcetypes ]
| where recentTime < now() - 86400 | table sourcetype totalCount
↧