Hi jamesmatthews,
the easiest way is to create a lookup (e.g. called perimeter.csv) containing all the hosts in your perimeter (one column called "host") and then run a search like this:
index=myindex sourcetype="mysourcetype"
| eval host=upper(host)
| stats count BY host
| append [ | inputlookup perimeter.csv | eval host=upper(host), count=0 | fields host count ]
| stats sum(count) AS Total BY host
In this way hosts with Total=0 are the missed ones, instead hosts with Total>0 are OK.
You can show host situation in a dashboard alche in graphic mode.
You can also create an alert when Total=0 so you immediately know when there's a problem.
Bye.
Giuseppe
... View more