I would recommend doing this with a simple metadata search and a lookup file of expected hosts.
## transforms.conf
[expected_host_lookup]
filename = expected_hosts.csv
## expected_hosts.csv
host,is_expected
hostA,true
hostB,true
search:
| metadata type=hosts | append[inputlookup expected_host_lookup | eval lastTime=0 | eval totalCount=0] | stats max(lastTime) as lastTime, sum(totalCount) as totalCount by host | lookup expected_host_lookup host OUTPUT is_expected | search is_expected=true totalCount=0
This search is extremely cheap since we are using metadata and a few simple lookups. The first inputlookup appends the expected hosts table and is then consolidated by stats. We do a subsequent lookup to get the is_expected values again. Finally, we search for expected hosts w/ a totalCount of 0. You could also perform a query based on lastTime if you are interested in hosts that haven't reported in recently....
... View more