Thank you for you answer but it's not workin 😞
index="backup_script" conf_brand=ios OR conf_brand=nxos
| rex field=conf_hostname "(?P^[^.]+)"
| eval status = "Device not sending logs to splunk"
| table hostname status
| dedup hostname | where like(hostname,"%"+"tor-rt-"+"%")
| join type=outer hostname [ search index="backup_script" conf_brand=ios OR conf_brand=nxos
| rex field=conf_hostname "(?P<host>^[^.]+)"
| stats count by host
| eval backup_hostname=host+"*"
| table backup_hostname
| where like(backup_hostname,"%"+"tor-rt-"+"%")
| map [ search eventtype=cisco_ios host=$backup_hostname$
| eval final_hostname = $backup_hostname$
| rex field=final_hostname "(?P<hostname>^[^*]+)"
| table hostname
| dedup hostname ] maxsearches=1000]
|fillnull value="NULL" status | where status="NULL"
... View more