Hi,
I would like to see the difference in a count for two different type of events per day. Currently I have it in total but not sure how to split it per day
index="index1" ("first string" OR "second string") | eval First=if(searchmatch("first string"),1,0) | eval Second=if(searchmatch("second string"),1,0) | stats sum(First) as FirstChecks sum(Second) as SecopndChecks | eval missing=FirstChecks - SecondChecks
Thanks
try this
index="index1" ("first string" OR "second string")
| bin _time span=1d
| eval First=if(searchmatch("first string"),1,0)
| eval Second=if(searchmatch("second string"),1,0)
| stats sum(First) as FirstChecks sum(Second) as SecondChecks by _time
| eval missing= FirstChecks - SecondChecks
try this
index="index1" ("first string" OR "second string")
| bin _time span=1d
| eval First=if(searchmatch("first string"),1,0)
| eval Second=if(searchmatch("second string"),1,0)
| stats sum(First) as FirstChecks sum(Second) as SecondChecks by _time
| eval missing= FirstChecks - SecondChecks