I believe I know what you mean, that you want to remove any other NTP server than the one you want defined, regardless of it's IP address. So you don't have an actual list of them sitting there of what other NTP servers there are...
I have a bit of a hack based on the newest NCM that can work for you. This is how you set it up.
In the "STRING MATCHING" section configure it as follows with the IP address of the NTP server you want to be set...
Then, in the "search config file/block" set it up as follows, the "config block end" could probably be "^.*" also (ie: ANYTHING), we are mainly interested in setting the start of the config block to be the line that contains the specific NTP server on that specific line. More on that below...
Now for the magic / hack. Set your remediation script as follows:
The first line is doing a "no" of the "ConfigBlock" start line I mentioned above, which will be set to any NTP server that you DON'T want. It will ignore the NTP server you do want. The second line is optional, setting the NTP server that you do want. If you just want to remove unwanted NTP servers the first line will suffice.
The one drawback of this is if no NTP server is defined at all, the config will be in compliance, you will need another rule to make sure the NTP server you want is defined, but that's quite simple.
This is kind of hacking the new ability to run your script on each config block that is in violation a bit, this feature was never intended to work this way. But my devious mind wanted this for the ability to do things like remove unwanted SNMP communities and such. So, no promise it will always work, but I believe it should work at least in the present. Let me know your results and TEST first on a small subset of devices!!!
Any relation to Mark? :-)
HTH!!
"I'm just working in the coal mines..."