I'm working in an environment where the light forwarders watching windows eventlog inputs are configured for many different timezones.
As i found in another question, this is a bit of a problem because the windows eventlog inputs don't include timezone info with their timezones.
Is there a quick query that can show me the last timestamp received from a host?
I am thinking that this might not be in metrics log because that might only contain info about how much the server parsed at that time. I'm looking for "Last timestamp from all hosts" in a way that doesn't have to sort through the raw results of every single event.
asked 21 Jan '11, 22:19
The best i can come up with is just reviewing the metadata lastTime on hosts i /think/ should have send data recently but might have incorrect timezone extrapolation. This is difficult because i have >1000 hosts that send correct time, but may be low volume, and maybe 100 that do not.
| metadata type=hosts | convert timeformat="%y-%m-%d %H:%M:%S" ctime(lastTime) as mytime | table host,lastTime,mytime
Weird thing is that metadata's lastTime is being set to the time provided by the light forwarder... not the time of indexing on my indexer. Perhaps this is a bug. Documentation describes lastTime as the last time the indexer saw an event from the host. I read this as "the last time data was sent from this host", but maybe that can't apply for light or heavy forwarders.
answered 21 Jan '11, 22:47