I am only curious for a certain index
| stats count by host
| stats sum(count) AS Total BY host
| where Total>0
This search is good to see how many logs are coming in for my hosts in that index but the problem is when a host stops sending I have no alert for it. I tried changing the "|where Total>=0" but it took off the host from my table when it hit zero. How can I adjust or change my query to make it so I can alert when a host hits 0 logs.
index=abc | stats count by host | append [| makeresults | eval host=split("hostA,hostB,hostC ... ",",") | mvexpand host | fields host | table host] | stats sum(count) AS Total BY host | where Total>0
append [....] , you can create host.csv and use
| inputlookup append=t host.csv