Now we are trying to get a search that will show us the % difference for the index by day or week
This is to provide us information if our license volume shoots up, we can find the indexes involved in this issue.
The search that uses this summary index is below.
This was working fine until we added a new index. Once the new index was added, each Index2 column was off by 1 row once that index name hit in the list. And this is skewing the Index2 column so the comparison (%difference) is skewed. I expect the same will happen as we decommission indexes also.
Any assistance on how to take this issue into account having a different number of rows for each search would be appreciated.
%difference search - comparing yesterday to 7 days ago
index=index_metric_summary "License Pool"=site1 earliest=@d latest=now
| sort Index | stats median("MB's Used") as yesterday by Index
[ search index=index_metric_summary "License Pool"=site1 earliest=-7d@d latest=-6d@d | sort Index
| rename Index as Index2
| stats median("MB's Used") as previous by Index2]
| eval %difference=round(((yesterday-previous)/previous)*100,2)
| table Index Index2 previous yesterday %difference
This is what the output looks like around the point with the new index is listed