The scenario:
I have a scripted input that gives me a list of files in a directory. On a regular basis I want to run a search that will see how many times each of those has been served by the webserver. I also want to include in the report any files that have not been hit in the report.
Assume the subsearch for the list of files is just:
[search sourcetype=dirlist | fields filename ]
And that it's searching against normal apache access logs.
Maybe something like:
sourcetype=access_combined [ search sourcetype=dirlist | fields filename ]
| stats count as hitcount by filename
| append [ search sourcetype=dirlist | fields filename | eval hitcount=0 ]
| stats max(hitcount) by filename
Maybe something like:
sourcetype=access_combined [ search sourcetype=dirlist | fields filename ]
| stats count as hitcount by filename
| append [ search sourcetype=dirlist | fields filename | eval hitcount=0 ]
| stats max(hitcount) by filename