Tracking information about your sources.
main title title |rest /services/data/indexes/ |dedup title -15d now 5 2 days 5 days 7 days 10 days 15 days 20 days 30 days 60 days 90 days 180 days Show Charts Hide Charts hide true true true true

Events Timeline

The moving average line displays the event count (linear) over time

Host Timeline

The moving average line displays the number of hosts (agents, clients) reporting events over time
Table Chart chart true true true true | tstats local=f prestats=f count as Events WHERE index=$index_token$ earliest=$time_token.earliest$@d latest=$time_token.latest$ BY _time span=1d | trendline sma$sma1$(Events) AS sma | rename sma AS "Moving_Average(5d)" $time_token.earliest$ $time_token.latest$ Table | tstats local=f prestats=f count as Events WHERE index=$index_token$ earliest=$time_token.earliest$@d latest=$time_token.latest$ BY _time span=1d | trendline sma$sma1$(Events) AS sma | rename sma AS "Moving_Average(5d)" $time_token.earliest$ $time_token.latest$
Table Chart chart2 true true true true | tstats local=f prestats=f dc(host) AS Hosts WHERE index=$index_token$ earliest=$time_token.earliest$@d latest=$time_token.latest$ BY _time span=1d | trendline sma$sma1$(Hosts) AS sma | rename sma AS "Moving_Average(5d)" $time_token.earliest$ $time_token.latest$ Table | tstats local=f prestats=f dc(host) AS Hosts WHERE index=$index_token$ earliest=$time_token.earliest$@d latest=$time_token.latest$ BY _time span=1d | trendline sma$sma1$(Hosts) AS sma | rename sma AS "Moving_Average(5d)" $time_token.earliest$ $time_token.latest$
Clock Skew violations by frequency The moving average line should be kept steady | tstats local=f prestats=f count WHERE index=$index_token$ BY _indextime, _time span=1s | eval th=3600 | eval diff=abs(_indextime-_time) | eval high=if(diff>th,count,0) | timechart span=1h cont=t sum(high) AS count | fillnull value=0 count | trendline sma24(count) AS "Moving_Average(24h)"| rename count AS "Clock skewed (>1h, <-1h)" $time_token.earliest$ $time_token.latest$ Clock Skew violations by actual value (indexed - extracted time) The median time should be kept steady and below the threshold | tstats local=f prestats=f count WHERE index=$index_token$ BY _indextime, _time span=1s | eval diff=_indextime-_time | fields - count | timechart span=1h cont=t avg(diff) AS "Average", median(diff) As "Median" | eval th=3600 | rename th AS "Threshold(1h)" $time_token.earliest$ $time_token.latest$ Reporting Hosts - Last 15 days The number of days mising displays the the difference between the current date and the last time an event was seen | tstats local=f prestats=f count AS Events WHERE index=$index_token$ earliest=$time_token.earliest$ latest=$time_token.latest$ BY host, _time | rex field=host "(?<domain>[^\\\]+)" | stats sum(Events) as Events, max(_time) as _time by domain | eval miss = floor((now() - _time)/86400) | convert ctime(_time) timeformat="%Y-%m-%d %H:%M:%S" | sort - Events | eval Events=case(Events>1000000000000, "More than a Quadrillion! \m/", Events>1000000000, round(Events/1000000000)."T", Events>1000000000, round(Events/1000000000)."B", Events>1000000, round(Events/1000000)."M", Events>1000, round(Events/1000)."K", 1=1, Events) | rename _time -> "Last seen", domain -> "Host", miss AS "Days Missing" $time_token.earliest$ $time_token.latest$