index=abc OR index=def earliest=-8d@h latest=now
| table *
| stats last(*) as * by sourcetype index
| eval date_check="yesterday"
| rename sourcetype as _sourcetype , index as _index, date_check as _date_check
| foreach * [ eval <<FIELD>> = if(isnotnull('<<FIELD>>'),"<<FIELD>>",null())
| eval field_names=mvappend(field_names,"<<FIELD>>")]
| table _* field_names
| rename _* as *
| append [search index=abc or index=def earliest=-9d@h latest=-168h@h
| table *
| stats last(*) as * by sourcetype index
| eval date_check="today"
| rename sourcetype as _sourcetype , index as _index, date_check as _date_check
| foreach * [ eval <<FIELD>> = if(isnotnull('<<FIELD>>'),"<<FIELD>>",null())
| eval field_names=mvappend(field_names,"<<FIELD>>")]
| table _* field_names
| rename _* as * ]
| eval index_sourcetype=index."__".sourcetype
| chart values(field_names) as field_names by index_sourcetype date_check
| eval tmp=mvappend(today,yesterday)
| eval diff=abs(mvcount(mvdedup(tmp))-if(isnull(today),0,mvcount(today)))
| stats values(*) as * count as counts by tmp
| where counts=1
| stats values(tmp) as diff_fields max(diff) as diff values(today) as today values(yesterday) as yesterday by index_sourcetype
I am using the above code and on running it separately with fieldsummary I can see the difference. However on running the who query it doesn't display different fields
... View more