I'm trying to search my log data and figure out if a list of host names are not sending specific event IDs.
I have a lookup table called audit_items.csv with the following: 4624 has data while 7777 purposely shows nothing.
My search looks like this.
| inputlookup audit_items.csv
| join type=outer EventID
[ search host="127.0.0.1:8088"
| stats count by EventID Hostname]
| table Hostname, EventID count
| fillnull value=0
What I would like to do is add another lookup table with a list of Hostnames so that instead of my results showing nothing for an EventID 7777 that it will also tell me each Hostname not sending each type of EventID.