Hi all.
I have a first search:
index=first sourcetype=type1 | stats count
And a second:
index=first sourcetype=data_sourcetype | join ID [search index="second" sourcetype="datatype2"] | stats count
Both cases returns number of events. I need to calculate the number difference between the first's search value and the second. How i can proceed?
Thanks!
↧