If I add 1 host and remove another host in a month, the stats will be the same and the delta zero but we had movement. Thats what im trying to track. This is what i have so far:
| timechart span=1m dc(HostName) as CountOfHosts
| streamstats window=2 last(CountOfHosts) AS Last, first(CountOf_Hosts) AS First
| eval Delta=Last-First
You should not post the same question twice. You should take time to clearly formulate it before you post it and update the original question as needed. See my answer here:
In order to build a fairly reliable search you'll have to tell us what your events look like, how often they occur, under what condition a host is considered to be added or removed, and so on.
Some early thought on your attempt, going by the distinct count is troublesome. If you add host A and remove host B, your distinct count doesn't change. Depending on your number of hosts and the sample rate of their events this statistically won't be avoidable. You will need to track adds and removes per host, and then count those add/remove events.
What you have described with distinct count is the challenge for me. The events come in a csv input once month which is then summarized. This is a sample event,
2016/05/01,9810440,Infrastructure,Distributed Storage,Backup,Backup,Backup,0.05,DCI Backup,USER SERVICES (blah),WORKSPACE SERVICES (blah),WORKSPACE SERVICES (blah),1580962,S1005WIF790,182976,ORG TRANSFER - TELEPHONY 802,$0 ,0
Cost = $0 Cost Center = 123456 Cost_Center = Distributed Storage Date = 2016/05/01 Feed_Name = blah Backup Host_Name = myhost Org L4 = USER SERVICES (blah) Org L5 = WORKSPACE SERVICES (blah1) Org L6 = WORKSPACE SERVICES (bah2) Org_Description = ORG TRANSFER - TELEPHONY 123 Org_L5 = Backup (Blah5) Org_L6 = 0.05 PPGL1 = Infrastructure PPGL2 = Distributed Storage PPGL3 = Backup PPGL4 = Backup Product = Backup Standard Price = 0.05 Volume = 0 date_mday = 1 date_month = may date_wday = sunday date_year = 2016 date_zone = -240 field1 = 2016/05/01 field2 = 9810440 host = myindexer index = blahblah linecount = 1 punct = //,,_,_,,,_(),.,_,___(),__(),___(),,,,__-__,$_, source = May billing detail.csv sourcetype = blah splunk_server = myindexer indexer tag = index