I have a sourcetype which is a log created by the AV application on the host. I would like to find hosts which are missing this particular sourcetype (over 4 hours). It seems like a easy search but I cannot figure out how to write it. Theoretically I would like to do a search on all hosts and sourcetypes and then find the hosts which haven't sent any log with this sourcetype. Easy in theory but I cannot figure it out. Please help me. This is how far i have come:
`| metasearch sourcetype=* host=* | dedup sourcetype, host |` "here I would like a tabular output of hosts missing this sourcetype"
↧