Hi @antb ,
I would use tstats instead of metadata for this one.
You could do something like this:
| tstats summariesonly=t count
where ( earliest=@d-7d latest=@m )
( [ | inputlookup critical_device_sample | stats count by Index | table Index | rename Index as index | format ] )
( [ | inputlookup critical_device_sample | stats count by SplunkHost | table SplunkHost | rename SplunkHost as host | format ] )
by _time host span=1d
| stats max(_time) as maxtime by host
| eval timecheck = strftime(relative_time(now(), "@d"), "%s")
| where maxtime < timecheck
This search quickly finds events for hosts in the last 7 days and filters to show only those hosts that do not have events for the current day. It also is limited to the list of indexes found in your critical_device_sample lookup as well as the list of hosts.
I would also change the format of your lookup to have the following fields:
SplunkHost,Group,Priority,HoursLag,Index
The reason for this, is you want to be able to lookup if a device is in a particular group and what the priority is. You could then adjust the above search using this lookup to add further value/insight.
... View more