I use the recommended search below to find lost forwarders after a 24hr period.
| metadata type=hosts | eval age = now() - lastTime | search age > 86400 | sort age d | convert ctime(lastTime) | fields age,host,lastTime
I had read in the documentation that if you wanted to exclude a dead machine off this search you could tag the host and exclude that tag from the search. How do I apply that exclusion to the above search if I have tag::host (dead)?
Or can I insert a "search age < 4302000" also?
I could not add a NOT for a tag since just metadata host was used. I did however add the | search NOT age < 860000 to not list host down over two weeks, ( presumed dead to me ).
I am not certain this will work, but you can try adding it to the end of your search:
... | search NOT tag::dead_host
If the above does not work, you will need to create a list of dead hosts and pass those in via a csv file using inputcsv (outputcsv to create the list). The appended search would be similar to the above, but with a combination of inputcsv.
You can just do it in the search language, but the metadata command itself does not output tags. To get the tags decorated onto the hosts you have to pipe through the tags command.
| metadata type=hosts | tags | search NOT tag::dead
just tested it out with some ad-hoc tags in the search ui and it seems to work.
friendly tip - you can add this as a comment on my answer rather than its own answer. and I can watch for the change and come back and delete this comment of my own later.