Query1 : index="*" earliest=-1mon@mon latest=@mon
| stats count
O/P : 25,419,925,723
Query2 : index="*" earliest=-2mon@mon latest=-1mon@mon
| stats count as Twomonthsbeforecount
| appendcols
[ search index="*" earliest=-1mon@mon latest=@mon
| stats count as Onemonthbeforecount ]
| eval Difference=Onemonthbeforecount-Twomonthsbeforecount
| table Difference Onemonthbeforecount Twomonthsbeforecount
O/P :
Difference | Onemonthbeforecount | Twomonthsbeforecount |
-26541517755 | 169524875 | 26711042630 |
Query 1 output should match the Query 2 "Onemonthbeforecount " column value, but why is it differing? Am i missing out something to check?
Hi @vn_g,
Can you try with tstats?
| tstats count as Twomonthsbeforecount where index="*" earliest=-2mon@mon latest=-1mon@mon
| appendcols
[ tstats count as Onemonthbeforecount where index="*" earliest=-1mon@mon latest=@mon ]
| eval Difference=Onemonthbeforecount-Twomonthsbeforecount
| table Difference Onemonthbeforecount Twomonthsbeforecount
Hi @vn_g,
Can you try with tstats?
| tstats count as Twomonthsbeforecount where index="*" earliest=-2mon@mon latest=-1mon@mon
| appendcols
[ tstats count as Onemonthbeforecount where index="*" earliest=-1mon@mon latest=@mon ]
| eval Difference=Onemonthbeforecount-Twomonthsbeforecount
| table Difference Onemonthbeforecount Twomonthsbeforecount
Yes, this helped. Thankyou so much
Is your subsearch getting truncated due to limits on subsearches?
No I don’t see any DAG execution error