Hello,
I'm trying to create a search that shows what results are missing today - a, compared to yesterday - b.
a and b are inputs on a dashbaord so I could also compare 2 weeks ago with today.
I can't do a NOT [subsearch with results from today] because I already used |where in the first search.
It feels like a simple problem that for sure was solved 100 times but I don't get it.
What I have so far is only the difference, but it also shows if something new was added today, but was not there yesterday.
index=myindex sourcetype=special_list
| eval deleted=case(Deleted="Yes", "Deleted", Deleted="No", "Active")
| eval date=strftime(_time, "%F")
| where date="2019-09-27" OR date="2019-09-26"
| stats count as Total by FullName
| where Total=1
Any help highly appreciated
Cheers
↧