index=Test1 sourcetype=src1 earliest=@d
| eval OD=ltrim(OD,"0"),Line=rtrim(Line,"")
| table OD Line
| append
[| search index=Test2 sourcetype=src2 earliest=@d
| eval created_date=strftime(strptime(CREATEDATE,"%Y%m%d"),"%Y-%m-%d"),today=strftime(now(),"%Y-%m-%d")
| where created_date=today
| dedup OD Line
| table OD Line
| rename OD as X_OD,Line as X_Line]
| eval ODNUM=coalesce(OD,X_OD),LineNUM=coalesce(Line,X_Line)
| stats values(OD) as A,values(X_OD) as B by ODNUM,LineNUM
| appendcols
[| stats count]
| eval Missing=case((isnotnull(A) AND isnull(B)),ODNUM)
| stats dc(Missing)
It's simply calculating the missing ODs there in index 1 but missing in index2 by comparing OD&Line pair.
... View more