If you want to get all the indexes, do this:
eventcount index=* summarize=false
How do I exclude summary, history and main from my index results?
Thanks
This works for me.
| eventcount summarize=false index=* index=_* | search NOT (index=main OR index=summary OR index=history)
This works for me.
| eventcount summarize=false index=* index=_* | search NOT (index=main OR index=summary OR index=history)
Thanks, this is what I wanted.
| eventcount summarize=false index=* | search NOT (index=main OR index=summary OR index=history)
Try 'eventcount index=* summarize=false NOT (index=main OR index=summary OR index=history)
'
I have try these out as a search and they do not work. Am I missing something?
| eventcount index=* NOT index=main NOT index=history NOT sourcetype=stash summarize=false
| eventcount index=* summarize=false NOT (index=main OR index=summary OR index=history)
if you want to search but exclude "exclude summary, history and main"
try
index=* NOT index=main NOT index=history NOT sourcetype=stash
and if you want the internal indexes, add
index=* OR index=_* NOT index=main NOT index=history NOT sourcetype=stash