I have the following search:
index=my_index asset_type="Workstation" asset_atp="false" asset_status="ACTIVE" earliest=-1d@d latest=-0d@d
| search NOT
[search index=my_index asset_type="Workstation" asset_status="ACTIVE" earliest=-1d@d latest=-0d@d
| eval nexttime=strftime(relative_time(now(),"-w@w") ,"%Y-%m-%d %H:%M:%S")
| where ad_date_created>nexttime]
When i run the searches separately, the first one returns 1841 events and the second one returns 487 events.
But the combined search does not exclude the results from the second search so I get the full 1841 events again.
When I use those searches with stats, just to get the count of the events, everything looks fine and I get the deisred result of 1354 with the following search:
index=my_index asset_type="Workstation" asset_atp="false" asset_status="ACTIVE" earliest=-1d@d latest=-0d@d
| stats count as TotalA
| appendcols
[search index=my_index asset_type="Workstation" asset_status="ACTIVE" earliest=-1d@d latest=-0d@d
| eval nexttime=strftime(relative_time(now(),"-w@w") ,"%Y-%m-%d %H:%M:%S")
| where ad_date_created>nexttime
| stats count as TotalB]
| eval Total=TotalA-TotalB
| fields Total
What am I doing wrong?
Thanks in advance for the help!
↧