find the new and/or killed process using summary index

I have a group of about 60 servers saturated among Windows, Linux, and AIX operating systems. Each system is configured to forward their process information to my primary index server at a frequency of about 1 minute. For AIX and Linux, we use the ps command/sh; and on Windows we use the wmi-input script.

At the moment, we have a scheduled savedsearch running at about the same interval (1 min) which takes all the individual events from separate hosts and aggregates them into single events using mvcombine. This result is then written into a separate (custom) index using the collect command. For example - an event in our "process" index might look something like this:

09/08/2011 23:22:00, search_name=KelProcessCollect, search_now=1315495440.000, info_min_time=1315495320.000, info_max_time=1315495460.000, info_search_time=1315495454.129, Name="/sbin/init [kthreadd] [ksoftirqd/0] [kworker/u:0] [migration/0] [cpuset] [khelper] [netns] [sync_supers] [bdi-default] [kintegrityd] [kblockd] [kacpid] [kacpi_notify] [kacpi_hotplug] [ata_sff] [khubd] [md] [khungtaskd] [kswapd0] [ksmd] [fsnotify_mark] [aio] [ecryptfs-kthrea] [crypto] [kthrotld] [scsi_eh_0] [scsi_eh_1] [kworker/u:3] [kmpathd] [kmpath_handlerd] [kondemand] [kconservative] [scsi_eh_2] [jbd2/sda5-8] [ext4-dio-unwrit] upstart-udev-bridg udevd [jbd2/sda6-8] [ext4-dio-unwrit] rsyslogd dbus-daemon avahi-daemon: avahi-daemon: NetworkManager....... (it goes on for quite a bit)
... and some metadata include host, orig_host, Name, etc..

Now, I want to do two things with this data:

1. run a scheduled search which alerts me when a process (of any orig_host) is created or killed
2. run a scheduled search which writes an event into my "process" index identifying exactly which process is new/ and which was killed; with this information, I want to be able to draw a chart displaying trends which may be occurring within our organization in regards to the process created/killed; perhaps in relationship with time-of-day for example

Any ideas or comments?

Thanks in advance

--edit--

Furthermore, we have already tried many things in regards to question 1 above. The most promising solution is to use a subsearch (for newly created processes):

index=process search_name=KelProcessCollect | dedup orig_host | makemv Name | mvexpand Name | search NOT [search index=process search_name=KelProcessCollect | dedup 2 orig_host | reverse | dedup orig_host | makemv Name | mvexpand Name | fields orig_host, Name | format]

With this search command, we are able to identify those process which are there now, but wasn't there in the previous event.

However when we tried to save this result back into the "process" index, by appending the following to the above command:

| collect index=process marker=test1=test2

.. there are some issues we were not able to solve. First problem is that the result is written into the index with search_name=KelProcessCollect, and not with the actual name of our saved search. Fine. So to prevent duplicated data in our "process" index, we tried | collect index=main marker=test1=test2. And when we look in the main index for this result, "test1=test2" is written in the _raw, but cannot be located as a field; which is not so bad, since we can still search for search_name=KelProcessCollect in the main index and find what we need. The real problem is the Name field now reverts back to the original Name field from the process-index - not the single process-name, but the long string of text, ie. Name="/sbin/init [kthreadd] [ksoftirqd/0] [kworker/u:0] [migration/0] [cpuset] [khelpe..."

So this doesn't help one bit, since we can't identify which of those Names was the actual new process. We have tried to rename Name AS Name2, but the results in main-index only shows the _raw data; whats wrong? Is there any way to manually format the output of what gets written with collect? or perhaps a way to remove old metadata and assign new ones?

Many many thanks!