Searching for non-existent data is always harder than searching for existing data … because finding "nothing" isn’t possible
However, you can simulate finding nothing like this:
index=ndx sourcetype=srctp ip=* earliest=-7d
| stats count by ip
| append
[| inputlookup myListOfIPs
| fields ip ]
| stats values(count) as filter by ip
| where isnull(filter)
That this search does:
- do a simple count by all found IPs of the last week
- append the "master list" of IPs to the
stats‘d output - do a values `stats of all IPs in the table (found in event data and from the lookup table)
- filter out all items that have some value in the
filterfield usingwhere
The resultant IPs will all have not been found in the index in question in the last week
Adjust field names, time range, etc as necessary
from User warren – Stack Overflow https://stackoverflow.com/questions/73464448/how-do-i-check-if-splunk-has-received-logs-from-hundreds-of-different-sources-ho/73530093#73530093
via IFTTT