This is my stab at it:
| metadata type=hosts sourcetype="example" | convert ctime(recentTime) as Recent_Time | where lastTime LESSTHANSYMBOL (now() - 600)
I am using this query - (now() - 600) translates to look between now and 10 minutes(600 seconds) before of now.
Does look ok ?
This is probably closer to what you'll want:
| metadata type=sourcetypes | eval search_time=(now()-600) | eval status=if(lastTime<search_time, "NOT_OK", "OK") | table sourcetype, status
Fantastic ! This gives me across all sourcetypes
You could easily translate this to a by 'host' search as well. Just change the word 'sourcetype' to 'host'.