Hi All  I need to do some lookup table maintenance and would like to know which hosts are not being monitored but still in the lookup table  My problem is I have host fields that has an "*", I.E. host=saps*  that are valid and are being monitored  Here is my SPL  -----------------------------------------------------  | inputlookup host_lookup | eval host=lower(host) | join host type=left [| metasearch (index=os_* OR index=perfmon_*) | dedup host | eval host=lower(host) | eval eventTime=_time | convert timeformat="%Y/%m/%d %H:%M:%S" ctime(eventTime) AS LastEventTime | fields host eventTime LastEventTime index] | eval Action=case(eventTime>200, "Keep Host", isnull(eventTime) , "Remove from Lookup") | fields Action host LastEventTime -----------------------------------------------------  ... View more

Is there a heart beat from the HF I can monitor and if not detected, alert on it ?  ... View more