For reporting purposes I created a SQL query to report when a winlogbeat agent hasn't sent any data within the last hour:
POST _sql?format=txt
{
"query": """
select agent.hostname, max("@timestamp") from "winlogbeat-*" group by agent.hostname HAVING (max("@timestamp") < NOW() - INTERVAL 1 HOUR)
"""
}
This was definitely working in Elasticsearch 7.6.2, but it looks like since we upgraded to 7.7.0 (in Elastic Cloud) this doesn't seem to return any results any more - nor are any errors logged that I can find.
Pretty sure I should get some results from this query, as if I run the following:
POST _sql?format=txt
{
"query": """
select agent.hostname, max("@timestamp") from "winlogbeat-*" group by agent.hostname order by max("@timestamp")
"""
}
I get results like:
agent.hostname | max("@timestamp")
---------------+------------------------
DESKTOP-x1|2020-03-19T17:30:14.112Z
DESKTOP-x2|2020-04-25T09:19:22.479Z
DESKTOP-x3|2020-05-11T23:11:00.538Z
DESKTOP-x4|2020-05-14T16:03:10.669Z
Any ideas what could be happening here?