I have a very simple query and can't believe I can't get this to work...
The os index should have 5 sourcetypes for each host in my environment:
df, linux_audit, linux_messages,linux_secure and vmstat.
I need to know how many events each sourcetype has in the *Nix application. I need it to include a 0 if there are not events.
I've tried:
index=os sourcetype=* | fillnull | stats count by host, sourcetype
index=os sourcetype=* | fillnull value=0 count, host, sourcetype | stats count by host, sourcetype
I need to when there are 0 events for the sourcetype and host. But I'm never getting a 0
... View more