Hello,
I'm trying to create a search that shows what results are missing today - a, compared to yesterday - b.
a and b are inputs on a dashbaord so I could also compare 2 weeks ago with today.
I can't do a "search of today NOT [subsearch with results from yesterday] because I need to use | operations before.
It feels like a simple problem that for sure was solved 100 times but I don't get it.
What I have so far is only the difference, but it also shows if something new was added today, but was not there yesterday.
index=myindex sourcetype=special_list
| eval deleted=case(Deleted="Yes", "Deleted", Deleted="No", "Active")
| eval date=strftime(_time, "%F")
| where date="2019-09-27" OR date="2019-09-26"
| stats count as Total by FullName
| where Total=1
Example:
Compare 2019-09-22
A
B
C
D
with 2019-09-27
A
B
D
Result: C
Any help highly appreciated
Cheers
... View more