Run this search once by hand for ALL TIME
| tstats values(host) AS host WHERE index=* OR index=_* | outputcsv MyHostList.csv
Schedule this to run at least once every day:
| inputcsv MyHostList.csv | append [| tstats values(host) AS host WHERE index=* OR index=_*] | stats values(host) AS host | outputcsv MyHostList.csv
Then run this search as an alert:
| tstats values(host) AS host WHERE index=* OR index=_* | eval dataset="current" | appendpipe [|inputcsv MyHostList.csv | eval dataset="expected"] | stats dc(dataset) AS numDatasets values(dataset) AS dataset BY host | where numDatasets=1 AND dataset="expected"
