hey @syedak,
You can use a subsearch to accomplish this:
|inputlookup hosts.csv | search NOT [search index=_internal |dedup host | table host]
This search will take your CSV and eliminate hosts found in the subsearch. The hosts.csv will contain all the hosts with the column name of host
host
host1
host2
host3
Obliviously, modify the subsearch and CSV names to suit your environment.
If you'd like to look at your data as the only indicator, i'd recommend | tstats:
| tstats count, latest(_time) AS last_seen where index=* by sourcetype,host | eval timeDiff=now()-last_seen | search timeDiff>900
Change "900" to how long you'd like to consider something missing in seconds. | tstats is going to be significantly faster than | metadata .
let me know if this helps!
... View more
