I am trying to create a search which will give the difference in count for a field called "id" and show what are those different values for that field "id".
For instance if the current hour count for id is 900 and previous hour count is 830 ...I want to see the difference as 70 and show what are those 70 different id's .Currently I am able to get the difference using below search
index="netbox_test" | rename "results{}.id" as "id" | timechart span=1h count(id) as total | delta total as difference
If the difference in id count between two hour-long periods is 70 doesn't mean that it's only 70 ids that differ. Example - in one hour you have ids of 1,2,3 in next - 4,5. The count difference is 1 but all the ids are different.
Either you're assuming too much or there are additional unmentioned conditions.
To be more clear I am pulling netbox data into Splunk...so there are 900 devices in netbox...sometimes these 900 devices might be turned off or removed or added...So when these changes occur the count differs...I want to see what is the difference when compared hourly...I was able to find the difference every hour by using the delta..but I want to know what are those different devices for that particular hour..like comparing current hour with previous hour and show the count difference and what is different.
So you see for yourself that simply counting is not a reliable way of noticing that the sets are different. If you had 1,2,3,4 during one hour and 3,4,6,9 next hour, you'd miss that 1,2 turned into 6,9.
