and how to list out the hosts and sources that satisfies my search?

to list out the hosts and sources that satisfies my search -

your search | regex _raw!="\d{4}-\d{2}-\d{2}" | table host source

what if we want to display only the windows events. is there any unique search stanza to display only the windows hosts and filtr out the other os's?

Since both the timestamp and OS info for the hosts are written in totally different logs, you can't achieve this using same base search. My suggestion would be to create a lookup table with all host and their corresponding OS and use that lookup to filter out hosts from above query.

Query to generate lookup

index=_internal source=*metrics.log os=* earliest=-1h@h  | stats latest(os) as os by host | outputlookup host_os.csv 

Use lookup to exclude hosts

your base search [| inputlookup host_os.csv | where os="Windows" | table host ] | regex _raw!=".*2016-\d{2}-\d{2}.*" | stats count by host, source

So without using the lookup's can I below the below search result was accurate?

index=* [ search index=_internal os=Windows sourcetype=splunkd | stats count by hostname | rename hostname as host | fields host ] | regex _raw!=".2016-\d{2}-\d{2}." | regex _raw!=".2016/\d{2}/\d{2}." | stats values(source) as sources values(sourcetype) as sourcetypes by host

Yes it will be. Lookups will be good for performance as you don't have to go through internal logs every time.

Hi Pavanae. I agree with the other answers here, although it's not been made clear whether or not the specific format of your timestamp needs to be part of the exclusion - i.e. should the exclusion encapsulate both YYYY-MM-DD and YYYY-DD-MM?

Also as a general rule - and if possible - it's better to know what you're looking for - rather than what you're not. 🙂