I have some files (sources w/ configured sourcetypes) that often times do not contain any events. Is there a way that I can have the search show that the file was attempted to be read but no events were listed? Currently I'm looking at all files by date (actually removing the date from the filename...) overtime in order to asertain if I am missing any files. However, when the file has no events it does not appear in my search results. I'd like files that had no events but were read to appear in my search results.
Example Search String: index=charlesriver | bucket span=1d _time | stats count first(_time) as Date by _time, source | eval Date=strftime(Date,"%m/%d/%Y") | eval source=replace(source,"/apps/wcm-splunk/work/crd/prod/","") | eval source=substr(source,1,len(source)-13) | table Date, source, count | chart count over source by Date | sort -Date