Query Details
Last Time Message Received
Query
//Use to show when there's a potential gap or stoppage in data flow
Syslog
| where SyslogMessage contains "rhost"
| extend rhost = extract("rhost=(.*) ", 1, SyslogMessage)
| summarize max(TimeGenerated), count() by rhost
| extend secondsDiff = datetime_diff('second',max_TimeGenerated, now())
Explanation
This query is used to identify potential gaps or stoppages in data flow. It searches the Syslog data for messages containing "rhost" and extracts the value of "rhost". It then summarizes the maximum time generated and the count of messages for each "rhost". Finally, it calculates the time difference in seconds between the maximum time generated and the current time.
Details
Rod Trent
Released: April 1, 2022
Tables
Syslog
Keywords
Syslog,SyslogMessage,rhost,TimeGenerated,secondsDiff
Operators
wherecontainsextendextractsummarizemaxcountbydatetime_diffextend