Pro tip: Always show sample data, attempted code, and desired output (mockup). We could have saved tons of time if you presented this table in the first place.

OK.  So, here are two ideas.

search earliest=-30d
| eval period = mvappend("30days", if(_time > relative_time(now(), "-15m"), "15minutes", null()))
| stats values(period) as period by App_server_instance_ID
| eval diff = if(mvcount(period) < 2, App_server_instance_ID, null())
| stats values(App_server_instance_ID) as App_server_instance_ID values(diff) as diff by period

This gives you a vertically laid out presentation like

If you really prefer a horizontally laid table,  do a transpose

index=_internal earliest=-2d
| eval period = mvappend("30days", if(_time > relative_time(now(), "-15m"), "15minutes", null()))
| rename date_minute as App_server_instance_ID
| stats values(period) as period by App_server_instance_ID
| eval diff = if(mvcount(period) < 2, App_server_instance_ID, null())
| stats values(App_server_instance_ID) as App_server_instance_ID values(diff) as diff by period
| transpose header_field=period

It is doable to place diff on the header.  But this layout is more comprehensible IMHO.

Interestingly, someone asked a similar search very recently but I can't find it now.

The way I picture this is to label the two periods. Obviously, last 30 days contains last 15 minutes, so we can simply label the last 15 minutes.   I have a suspicion that your actual stats is different from simple count.  But for count, you can do

search earliest=-30d
|stats count as 30days sum(eval(if(_time > relative_time(now(), "-15m"), 1, 0))) as 15minutes by App_server_instance_ID App_server_hostname
| eval diff = '30days' - '15minutes'

Other stats can be similarly maneuvered

Thank you so much...

but i need display only App-instance-id 

Differences

Can you please help on this

You need to be more specific about your requirements.  The code was based on your code snippet.  One way to drop App_server_hostname is to simply drop it.  As to display, you can use table, fields, or fields -.

search earliest=-30d
|stats count as 30days sum(eval(if(_time > relative_time(now(), "-15m"), 1, 0))) as 15minutes by App_server_instance_ID
| eval diff = '30days' - '15minutes'
| table App_server_instance_ID diff

This may or may not be what you needed, but it fits what you said.

Thanks a lot..

My requirement is 

No need to show diff count if instance-id's

When i run the query with last 30 days..instance id's showing ..39events

But taking last 15mnts ..the instance id showing ..34events.. need show only 39-34 =5 instance id s names we need display..

So need show non-traffic list instance id..of differences ids only 

Could you please help on this ...

Thanks.

As I said - just set your search timerange to include only events from 15 minutes ago to 30 days ago and you're good to go. Don't overcomplicate things.

Unless you want something more than just listing the events. it's not clear what those instance ids are and how they relate to the events themselves. And how those time ranges "interact" with each other - are the instance ids unique to each single event? Or are they repeatable? If so, can they be "carried over" to the "last 15 minutes period"? If so - do you want them listed in such case or do you want only those ones that didn't appear during last 15 minutes.

Your requirements are not very precise so it's hard to meet them.

Since the difference comes from the different timeframe, you can just look into your index and either set

earliest=-30d latest=-15m

as your search parameters. Like

index=myindex source=mysource earliest=-30d latest=-15m

Or simply search across your index

index=myindex source=mysource

and set the appropriate time range in the timepicker.

Unless there's more to it and I don't understand it 🙂