I'm not really used to splunk so maybe this question is silly but let's see.
I'm doing the following search, with the time selection set to Today:
| metadata type=hosts index="myindex"
This result is of course a list of hosts with a total_count which I assumed was the number of events from this host for the day.
Then I'm doing (still for today):
index=“myindex” host=“192.168.0.15”
Which returns nothing....
How is it possible that a host appearing in the metadata has in fact no events for the day?
... View more