I am trying to create an alert which will compare yesterday and today for a particular field and show what is the difference.
I want to count the total for field called "id" for today and compare the count with yesterday and show the count difference and the id's which are different .
See if this helps at all.
index=foo earliest=-1d@d latest=@d
| stats count as yesterday by id
| append [ search index=foo earliest=@d latest=now | stats count as today by id ]
| stats values(*) as * by id
| eval diff = today - yesterday
See if this helps at all.
index=foo earliest=-1d@d latest=@d
| stats count as yesterday by id
| append [ search index=foo earliest=@d latest=now | stats count as today by id ]
| stats values(*) as * by id
| eval diff = today - yesterday
Thank You