Now I have a cluster.
My alerts is created on the search head of cluster and my data comes from the indexes of cluster
now , I need to create an alert, the role of this alert is: compare two days (today and yesterday) data, screening out the new content
How do I write this search statement? Assuming the index is "index = test"
If you use lookup may be a lot of problems, I tried.
You can do a distinct count to see if there are 2 distinct values in 2 days for a field -
| eventstats dc(field1) as field1_count,dc(field2) as field2_count by index | WHERE field1 > 1 AND field2 > 1
Do these two fields must be able to determine the only one data?
Does it print out the different rows of data? Then I save as alert . How should I set the trigger condition and search span?
If I understand you correctly you want to be alerted when a field has a different value today than yesterday.
I used some of my perfmon data to simulate this sort of situation by averaging a value by host for each day and then subtracting them to create a field named "different". In my example, I used a change of +5 in the "different" column, but you use "different!=0" to see everything that was different.
index=perfmon host=server* counter="% Processor Time" earliest=@d latest=now | stats avg(Value) as today by host | appendcols [ search index=perfmon host=server* counter="% Processor Time" earliest=@d-24h latest=@d | stats avg(Value) as yesterday by host] | eval different=today-yesterday | search different>5
You would need the fields, preferably unique identifiers that you want to compare in that index. Also, it's better to narrow it down to specific sourcetype(s) which has similar data. Assuming that in index=test, there are two fields fieldA kind of primary key and fieldB which contains the data that may change, so something like this would give you events from today which have different value (fieldB) then yesterday.
index=test ...other filters if there.. earliest=-1d@d latest=now | eval Day=if(_time<relative_time(now(),"@d"),"Yesterday","Today") | chart values(fieldB) over fieldA by Day | where Yesterday!=Today