Try this. keep in mind you are searching all event and indexs with this query.
index=* | dedup host, index | table index, host
Hope this helps or gets you started. Dont forget to accept and vote answers that help.
| metadata type=hosts index=
I can get a list of hostnames using this query. Is there a way to get the table I am looking for with this metadata?
index=* | stats values(host) by index
This would also work but then it actually searches all the indexes for all the time. Well if that's what you want then this will work.
Old thread, but I figured out a way to do this with metadata.
| metadata type=hosts index=main | stats count AS "Host Count" | eval "Source Index"="main"
| append [ | metadata type=hosts index=other | stats count AS "Host Count" | eval "Source Index"="other"
| table "Source Index","Host Count"
And you just keep appending until you get all the indexes you wanted.
Kind of wonky, but it's fast.