I want compare the 2 search result error logs and show the result.
I want to compare based on "Error" log of 2 search result.
One search result from prod:
*NullPointerException* index=prod | search log_level="ERROR" OR log_severity="Error" OR status>399 | stats earliest(_time) as FirstOccurence latest(_time) as LastOccurence count by static_msg | fieldformat FirstOccurence=strftime(FirstOccurence,"%m/%d/%y %H:%M:%S") | fieldformat LastOccurence =strftime(LastOccurence,"%m/%d/%y %H:%M:%S") | eval Error = static_msg | Table Error count FirstOccurence LastOccurence | sort –count
Search result from QA:
*NullPointerException* host=$host$ | search log_level="ERROR" OR log_severity="Error" OR status>399 | stats earliest(_time) as FirstOccurence latest(_time) as LastOccurence count by static_msg | fieldformat FirstOccurence=strftime(FirstOccurence,"%m/%d/%y %H:%M:%S") | fieldformat LastOccurence =strftime(LastOccurence,"%m/%d/%y %H:%M:%S") | eval Error = static_msg | Table Error count FirstOccurence LastOccurence | sort –count
I tried diff like eval diff = prod - qa it's showing difference of count or number of entries displayed, but I am looking for actual log differences.
... View more