Hello,
I'm currently trying to see which devices haven't checked in to Splunk in over +30days. The query i've been using shows only 3 devices. But, when I verify that it has phoned home and sent data to the Indexer, it has — so, I'm not sure why i'm not getting accurate results.
index=_internal sourcetype=splunkd group=tcpin_connections version=* os=* arch=* build=* hostname=* source=*metrics.log
| stats latest(version) as version,latest(arch) as arch,latest(os) as os,latest(build) as build by hostname
| join hostname [ | metadata type=hosts index=*
| eval last_seen_hours=(now()-lastTime)/60/60
| search last_seen_hours > 360
| table host, last_seen_hours
| rex field=host "(?[^\.]+)" | fields - host ]
↧