I have 2 different searches and I need to create an alert that would trigger if the results of the 2 searches are not equal. Below are my 2 searches. What we are doing is comparing a count of records in and count of records out to make sure the application did not have an issue processing.
index=omma source=omma
| bin _time span=5ms
| stats latest(liccount) as "Value" by lictype
| stats sum("Value") as "Total Records"
index=omma
| stats dc(record_id) as "Total Records"
With minimal changes to your base searches:
index=omma source=omma
| bin _time span=5ms
| stats latest(liccount) as "Value" by lictype
| status sum("Value") as "Total Records In"
| appendcols
[ search index=omma
| stats dc(record_id) as "Total Records Out" ]
| where 'Total Records In'!='Total Records Out'
With minimal changes to your base searches:
index=omma source=omma
| bin _time span=5ms
| stats latest(liccount) as "Value" by lictype
| status sum("Value") as "Total Records In"
| appendcols
[ search index=omma
| stats dc(record_id) as "Total Records Out" ]
| where 'Total Records In'!='Total Records Out'
Thank you! This is what I needed!