I would like to create an alert if the number on events is different in two subsearches.
subsearch1 = "index=index1 | dedup checksum | stats count"
subsearch2 = "index=index2 | dedup checksum | stats count"
unsuccessful attempts:
1) using subsearch
index=index1 | dedup checksum | stats count | search count > [search index=index2 | dedup checksum |stats count | search count]
2) using set diff
set diff [search index=index1 | dedup checksum] [search index=index2 | dedup checksum]
