So you want to search the logs for something that is not there. That is inherently problematic.
In essence you'll have to search through your logs for the last 30 days, and identify the systems that were used. Then you'll have to search through all the rest of your logs and make note of any system that is not part of the result set from the first search. Those would be the systems you really want to find.
One way to do that is through a subsearch;
sourcetype=your_sourcetype latest=-30@d NOT [sourcetype=your_sourcetype earliest=-30@d | dedup field_identifying_VM_or_PC | fields + field_identifying_VM_or_PC]
Another - far more efficient way, is if you have a trustworthy asset-list that can be used as a lookup, since that would eliminate the outer part of the search above;
| inputlookup your_asset_file.csv | search NOT [sourcetype=your_sourcetype earliest=-30@d | dedup field_identifying_VM_or_PC | fields + field_identifying_VM_or_PC]
If you don't have an asset list, it might be useful to build one, with Splunk that is - especially if you are going to run this search on a regular basis. A good description of how to build state tables (which a list of currently active servers can be seen as) can be found here;
http://blogs.splunk.com/2011/01/11/maintaining-state-of-the-union/
The idea is to;
- read the list from disk as search results
- search for new data (hostnames) and append them to the results
- dedup the results
- write out the new file to disk
Once you have this going, you could have a scheduled daily search that only has to go through a single days worth of data.
What sort of data DO you have?
/k
