Available Indexes |inputlookup avail_indexes.csv | join type=left sourcetype [|metadata type=sourcetypes index=* | convert ctime(*Time)] | eval totalCount = tostring(totalCount, "commas") | stats list(sourcetype) AS Sourcetype values(retention) AS "Retention Periond (Days)" list(lastTime) AS "Latest Event" list(totalCount) AS "Total Count" by Index0truefalsenonecell100 /app/search/search/?q=search index%3D$row.Index$ /app/search/search/?q=search index%3D$row.Index$ sourcetype%3D$click.value2$ /app/search/search/?q=search index%3D$row.Index$ /app/search/search/?q=search index%3D$row.Index$ /app/search/search/?q=search index%3D$row.Index$ /app/search/search/?q=search index%3D$row.Index$ -30d@d now Index |inputlookup avail_indexes.csv | dedup Index | sort + Index Index Index true | tstats count WHERE index=$index_name$ GROUPBY sourcetype, _time span=1d | timechart span=1d sum(count) by sourcetype $time.earliest$ $time.latest$ column false ellipsisNone 0 visible visible visible linear linear inherit 50 10 area gaps 0.01 stacked shiny none 0 ellipsisMiddle right Time Count Index |inputlookup avail_indexes.csv | dedup Index | sort + Index All * |metadata type=hosts index=$index$ | convert ctime(*Time) | eval totalCount = tostring(totalCount, "commas") | rename firstTime AS "Earliest Event" lastTime AS "Latest Event" totalCount AS "Event Count" | fields host "Earliest Event" "Latest Event" "Event Count" | sort - "Latest Event"-30d@dnowfull15fullfalseall1listtruenone /app/search/search/?q=search index%3D$index$%20host=$row.host$ /app/search/search/?q=search index%3D$index$%20host=$row.host$ /app/search/search/?q=search index%3D$index$%20host=$row.host$ /app/search/search/?q=search index%3D$index$%20host=$row.host$ cell25