hey @syedak,
You can use a subsearch to accomplish this:
|inputlookup hosts.csv | search NOT [search index=_internal |dedup host | table host]
This search will take your CSV and eliminate hosts found in the subsearch. The hosts.csv
will contain all the hosts with the column name of host
host
host1
host2
host3
Obliviously, modify the subsearch and CSV names to suit your environment.
If you'd like to look at your data as the only indicator, i'd recommend | tstats:
| tstats count, latest(_time) AS last_seen where index=* by sourcetype,host | eval timeDiff=now()-last_seen | search timeDiff>900
Change "900" to how long you'd like to consider something missing in seconds. | tstats
is going to be significantly faster than | metadata
.
let me know if this helps!
Hi,
Is there any field which can tell you that server is not reporting? If yes then you can use following query:
| stats dc(host) AS "No of server" count(eval(if(<field>==true,1,0))) AS "Server not reporting" by date
Edit according to your environment.