I need to be able to find the difference between two "Count" values; the count for today, and the count yesterday.
| stats count by source, reportTime
This gives me results similar to below:
Source---------------- ReportTime Count
otl_adcomputerscan 2017-02-20 16070
otl_adcomputerscan 2017-02-21 16088
I want to be able to find the difference between the count today, and the count yesterday.
What is the best way to do this?
Could only accept one answer, but this worked also!
Can you please explain to me what the "streamstats count as row" bit is doing?
And the "xyseries source row count" row?
streamstats adds a
row field to each row;
xyseries converts a column to a string of rows (which is what
chart is also doing in the other answer). Add the piped commands one-by-one to see what each does.
Assuming you always want to compare today with yesterday, try this
index=ad source=otl_adcomputerscan | eval reportTime=if(strptime(reportTime,"%Y-%m-%d")>=relative_time(now(),"@d"),"Today","Yesterday") | chart count over source by reportTime | eval differecence=Today-Yesterday