Is there a better way to report the count of hosts reporting to Splunk week over week other than running the query using index=*
I am not looking for the no of forwarders, I am looking distinct count of host value in all the indexes, |metadata type=hosts do not help as it cannot be used for week over week calculation
index=* earliest=-2w@w latest=@w
| bucket span=1d _time
| stats count by _time host
| eval marker=if (_time<relative_time(now(),"-w@w"), "last week","this week")
| eval _time=if(marker=="last week", _time + 7*24*60*60, _time)
| timechart count by marker
... View more