I'm looking for a query which write count=0 in the stats result when there are no events for that app and host.
My search query:
index=XYZ (appid=A OR appId=B) ( host=123 OR host =234 ) | stats count by appid,host
An alert should be triggered when the count is 0 from the result. I have tried using appendpipe but it didn't work for me.
Example: I have added a new host=000 in the above search
index=XYZ (appid=A OR appId=B) ( host=123 OR host =234 OR host=000) | stats count by appid,host | appendpipe [ stats count by appid,host | count=0 | where count==0]
The result is same as the result from first query. I was expecting two extra rows in the result ,something like appId A host=000 count=0 and appid=B host=000 count=0
Is there any other way I can trigger an alert when count=0 for the above scenario.
Thanks
... View more