I would like to be able to identify new servers in the indexed search below:
index=####vsource=######### Extract.csv" | table Name,_time,LastScanDate | timechart span=1d dc(Name)
I used to do the manually in Excel using vlookups. I am sure there is some method I could use to identify servers that only had a current timestamp. (this data is 24 hours old when i pull it into Splunk)
Try this
yoursearchhere
| stats latest(LastScanDate) as MostRecentScanDate count by Name
| where count = 1
| table Name MostRecentScanDate
This produces a list of servers with their most recent scan date. It only shows servers with one entry, which should be "new" servers.
I am unclear what you wanted to plot with the timechart command, so I kept it simple here.