get rid of everything before the first pipe
You could try these:
| tstats latest(_time) AS latest where index=* by host
| metadata type=hosts
Either should work.
many ways to go about it ...
see the output of the command and start exploring ...
heres a link to the doc that has more elaborated examples:
hope it helps
index=my_index* | metadata type=hosts
Error in 'metadata' command: This command must be the first command of a search.
The search job has failed due to an error. You may be able view the job in the Job Inspector.
please read the doc
metadata is a generating command has to be first
no need for index = something before
place this in your searchbae literally
You should ru search like this one (set time-range picker for last 30 days):
index=* | stats count by host
This search will show you all hosts and number of events from each other.