Can you please tell us how to check Splunk indexes' event count for last one hour including zero counts? For a specific index, the search below works fine. If we want results for multiple indexes, how do we write the search?
Search working fine with one index and zero count
index="idx1" earliest=-1h | stats count | where count=0
Search not working with multiple indexes to include zero count:
index="idx1" OR index="idx2" OR "idx3" earliest=-1h | stats count by index | where count=0
Need a output like:
index count
------------
idx1 0
idx3 0
The What about with this?
index="idx*" earliest=-1h | stats count by index |
append [| eventcount summarize=false index="idx*"|stats count by index|eval count=0|table index,count]|
stats sum(count) as count by index
| where count=0
The What about with this?
index="idx*" earliest=-1h | stats count by index |
append [| eventcount summarize=false index="idx*"|stats count by index|eval count=0|table index,count]|
stats sum(count) as count by index
| where count=0