I am trying to do a search for certain hosts and get counts on the number of events available for each host while trying to get the time of last log event. I am unable to get the resulting table to show all hosts even if the event count is 0.
host="server1" OR host="server2" OR host="server3" OR host="server4" | eval time=strftime(_time, "%b %d, %Y %r") |chart count as "TotalEvents", earliest(time) as "LastLog" by host
I get the following result now:
host TotalEvents LastLog
server1 25 Oct 27, 2015 11:29:56 AM
server2 1025 Sep 10, 2015 09:52:02 AM
server4 58 Sep 24, 2015 09:49:02 AM
I want server3 to show up in the table below even if there are no matching events:
host TotalEvents LastLog
server1 25 Oct 27, 2015 11:29:56 AM
server2 1025 Sep 10, 2015 09:52:02 AM
server3 0
server4 58 Sep 24, 2015 09:49:02 AM
... View more