Hi,
I have two indexes:
index="abc"
index="dummy"
Now both indexes have one common field ID.
I want to compare index dummy with index abc and list all IDs which are present in index abc, but not in index dummy
eg
index=abc contains
id
2
4
6
8
10
index=dummy contains
1
2
3
4
5
6
7
10
desired result
8
Thanks
Try this
Updated wrong function used in where.
index=abc OR index=dummy | stats values(index) as index by ID | where mvcount(index)=1 AND index="abc"
Update2
For dbquery
index=abc | table ID | eval From="abc" | append [| dbquery ...your query | table ID | eval From="dbquery" ] | stats values(From) as From by ID | where mvcount(From)=1 AND From="abc"
Try this
Updated wrong function used in where.
index=abc OR index=dummy | stats values(index) as index by ID | where mvcount(index)=1 AND index="abc"
Update2
For dbquery
index=abc | table ID | eval From="abc" | append [| dbquery ...your query | table ID | eval From="dbquery" ] | stats values(From) as From by ID | where mvcount(From)=1 AND From="abc"
It worked thank you,
but it only works if both data is coming form index
now ,i am fetching abc data directly form database using dbquery and dummy is same (Index data)
can u suggest query for above condition
|savedsearch "abc"|table ID "IP Address"|eval From="abc"| append [|savedsearch "dummy"|table ID "IP Address"|eval From="dummy"]|stats values(From) as From by ID|where mvcount(From)=1 AND From="abc"
above query doesnt worked for saved search plz suggest modifications
thank you,
What's the error do you get? Do the queries work individually?
Try the updated answer
Try
index=abc OR index=dummy | chart count over id by index | where dummy=0