To concur with the above answers, you would have to utilize a lookup file that lists out all of the sources you want to monitor. Natively, Splunk does not have a source = 0 events. (it doesn't know ...
See more...
To concur with the above answers, you would have to utilize a lookup file that lists out all of the sources you want to monitor. Natively, Splunk does not have a source = 0 events. (it doesn't know what it doesn't know). In the environment we work in, we apply a siar approach but its based on host and whether the sources are coming in or not for our customers. | tstats values(source) as source, values(sourcetype) as sourcetype
WHERE index=[index]
[ | inputlookup [myHostLookup].csv
| fields host ]
by host
| stats count, values(sourcetype) as sourcetype, values(source) as source
by host
| eval Reporting=if(isnull(source), "No Matching Sources", "Yes")
| table host, Reporting, source, sourcetype --- If this reply helps you, Karma would be appreciated.