There are a number of ways or monitoring this. I would not recommend using |metadata, as it is not the right way to monitor data coming / not coming in. Best way to check for data/hosts is the tstats command | tstats count where index=* OR index=_* by host which will give you the data coming in over the search period. You can also split by time if wanted with | tstats count where index=* OR index=_* by host _time span=1d then if you have a lookup file (csv) of the expected hosts then your search would look something like this | tstats count where index=* OR index=_* by host | append [ | inputlookup your_master_list.csv | eval count=0 ] | stats max(count) as count by host | where count=0 so you first collect your received data by host, then you append the list of hosts from the lookup and set a dummy 'count=0' for that host.  Finally the stats at the end will collate the max value of count seen for each host. If there is data for the host, count will be > 0, otherwise it will be 0. So the final where, will then show you hosts that are missing data. Note that there are some useful tools, one I particularly like is TrackMe, which is a really powerful tool to alert when hosts or sourcetypes stop appearing in Splunk. https://splunkbase.splunk.com/app/4621/ It's Cloud certified and is free. ... View more