"| metadata" generates basic description of the logged data.
Since the data is generated, rather than extracted from an index, there is no search command preceding the pipe.
The data is available for hosts (192.168.1.1), sources (udp:514), and sourcetypes (syslog).
a search narrowing down the scope by event tags, etc, can be integrated
"| metadata type=hosts | search eventtypetag=cisco5505s"
difference between $now and last message can be calucated
"eval age = strftime("%s","now") - lastTime"
than we can construct a search to look for any host (or source or sourcetype) where the time
from $now to last logged message is greated than 24 hours (86k seconds)
"eval age = strftime("%s","now") - lastTime | search age > 86400"
finally, a pipeline can be constructed, and results presented:
"| metadata type=hosts | search eventtypetag=cisco5505s | eval age = strftime("%s","now") - lastTime | search age > 86400 | sort age d | convert ctime(lastTime) | fields age,host,lastTime"
Voila: the cisco 5505s listed in the results has not logged anything for more than 24 hrs.
