It's hard to prove a negative in Splunk and this falls into that category. However, after many failed attempts this seems to be working for me. | eventcount summarize=false index="<your_index>" OR index="<another_index>" | dedup index | fields index | join type=left index [| tstats count by index] | where isnull(count) | rename index as theindex You have to list indexes manually and by name with quotes. The last line renames 'index' to 'theindex' as 'index' is a special term in Splunk and will cause problems here if not renamed. I have this run once a day going back 36 hours, this reduces false positives for indexes that may only consume logs once a day.
... View more