stephenb
September 9, 2023, 9:40pm
2
Hi @Shinej
There is a pretty cool way to do this using a latest transform with the host.name
Take a look at this this particular example is it about users
But I actually did this same thing for last log from each host.
Basically the latest transform just keeps the latest log from each host.
Then you can just check / alert which host have not reported in in the last 24 hours.
I think a latest transform could perhaps be a good solution.
I Did this for host not users But same concept. We wanted to see what hosts had not sent logs lately.
Basically if you do a latest transform using a user ID as the unique identifier and the timestamp as the latest time then you will see the user that has not logged in in the last day or two days or a week etc.
Most your users will have logged in recently, but you'll see the tail of the users that have not.
It's actually could be pr…