All,
I have a list of PCI hosts. Now what I want to do is take that list of hosts and create a report/alert to display hosts which are not reporting /var/log/secure. Any idea how I might do this from a search?
Hey @daniel333, if @somesoni2's solution worked then please don't forget to accept his answer to award karma points and close the question. 🙂
Assuming you can create a lookup table file with your list of hosts (say myhosts.csv with header as host), try like this
| tstats count WHERE index=IndexWhichHasSecurelogData source="/var/log/secure" [| inputlookup myhosts.csv | table host ] by host
| append [| inputlookup myhosts.csv | table host | eval count=0 ] | stats max(count) as count by host | where count=0