data sampling scope should be restricted to active data sources

trackme/default/macros.conf

@@ -1578,7 +1578,7 @@ iseval = 0
 definition = search index=_internal sourcetype=scheduler earliest=-4h latest=now status="*" AND status!="continued" trackme app="trackme" savedsearch_name="TrackMe - Data sampling and format detection tracker"\
 | stats avg(run_time) AS avg_run_time, max(run_time) AS max_run_time, latest(run_time) AS latest_run_time, latest(result_count) as last_processed_no_entities by savedsearch_name\
 | foreach avg_run_time max_run_time latest_run_time [ eval <<FIELD>> = round('<<FIELD>>', 2) ]\
-| appendcols [ | inputlookup trackme_data_source_monitoring where data_monitored_state="enabled" | stats count as total_entities ]\
+| appendcols [ | inputlookup trackme_data_source_monitoring where data_monitored_state="enabled" | where data_last_time_seen>relative_time(now(), "-24h") | stats count as total_entities ]\
 | eval potential_rate_sec=round(avg_run_time/last_processed_no_entities, 2)\
 | eval max_accepted_run_time_sec=`trackme_data_sampling_max_allowed_runtime_sec`\
 | eval max_entities_to_process=round(max_accepted_run_time_sec/potential_rate_sec, 0)\

trackme/default/savedsearches.conf

@@ -11,7 +11,7 @@ request.ui_dispatch_app = trackme
 request.ui_dispatch_view = trackme
 search = | savedsearch runSPL [\
 \
-| inputlookup trackme_data_source_monitoring where data_monitored_state="enabled" | eval key=_key | sort limit=0 data_sample_lastrun | head [ `trackme_data_sampling_algo_entities_to_process` ]\
+| inputlookup trackme_data_source_monitoring where data_monitored_state="enabled" | eval key=_key | where data_last_time_seen>relative_time(now(), "-24h") | sort limit=0 data_sample_lastrun | head [ `trackme_data_sampling_algo_entities_to_process` ]\
 \
 `comment("##### Once the KVstore content is loaded, we need to adress the specific case of Elastic sources #####")`\
 | `trackme_lookup_elastic_sources`\