This gives me the status of zookeeper based on the availability of the indicators "java.net.SocketException: Broken pipe" OR "ZK Down".
Now, I want to merge both the search queries such that I can get the status of both broker and zookeeper in a tabular format.
for e.g. for the host mwgcb-ckbla02U.nam.nsroot.net
I tried creating a query as below:
index=int_gcg_nam_eventcloud_164167 host="mwgcb-ckbla02U*" source="/logs/confluent/kafkaLogs/server.log" OR source="/logs/confluent/zookeeperLogs/zookeeper.log" "Broker may not be available" OR "java.net.SocketException: Broken pipe" OR "ZK Down" | stats count by source | lookup component_lookup.csv "source" | eval Status=if(count=0, "Running", "Down")| table Component,Status
However in any time range where the indicators are not available, it throws output as "No results found" and hence not able to create the dashboard.
Please help to get the output in the desired manner. Thanks..!!