I can’t seem to wrap my head around how to accomplish this in Graylog, but I need a way that I can look at sources that have send in logs in the past 30 days but haven’t in the last 7. The goal is to find a way to keep track of devices that have communication issues with Graylog or various other issues. It doesn’t appear you can do a search with a greater than or less than on the timestamp field?
My idea is the timeframe would be last 30 days and some sort of filter where the last message was over 7 days ago.
in the latest Graylog you could create one aggregation with the timeframe of the last 30 and the timeframe of the last 7 days.
When you define two new fields you could search that it shows you all events that do not have both additional fields available.
With the correlation engine you could even get a notification for that.
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.