FAQ: How do I detect when a host (log source) stops sending logs?

LogScale can detect when a host or other log source stops sending logs using the now() or groupBy() function:

Here's an example of how this might work:

groupby(host, function=max(@timestamp, as=@timestamp))
| missing:=(now()-@timestamp)>(5*60*1000)
| missing=true

The query shows a line for each host that we have not heard from in the last 5 minutes (timestamps in LogScale are in milliseconds). Run the query as a live search in a time interval that is longer than the "missing" threshold - when the last log from a log source is older than your search time interval, the log source will disappear from the result.