My 1st search:
earliest=-2mon@mon latest=-1mon@mon index=linux (host=abc OR host=xyz) COMMAND=LMN|dedup host,PID|stats count(PID) AS Value1
My 2nd search:
earliest=-1mon@mon latest=@mon index=linux (host=abcOR host=xyz) COMMAND=LMN|dedup host,PID|stats count(PID) AS Value2
I want to find Value1-Value2 or difference in count .. When I ran individual searches i got the count as 1441 and 1347 but when i used append the 2nd count reduced to 925 instead of 1347, same happens for join..
How can i find exact difference in counts?
I think you could simplify things here with one search:
earliest=-2mon@mon latest=@mon
index=linux (host=abc OR host=xyz) COMMAND=LMN
| chart dc(PID) AS Value1 over host by date_mday
Then use eval to do the difference between the months you want
I think you could simplify things here with one search:
earliest=-2mon@mon latest=@mon
index=linux (host=abc OR host=xyz) COMMAND=LMN
| chart dc(PID) AS Value1 over host by date_mday
Then use eval to do the difference between the months you want
I added | eval Month=strftime(_time,"%m %b %Y") to the command and it worked.. Thanks!!
Sorry, I meant date_month and not date_mday, so you could use:
earliest=-2mon@mon latest=@mon
index=linux (host=abc OR host=xyz) COMMAND=LMN
| chart dc(PID) AS Value1 over host by date_month
Can you help me out with eval command for difference in these 2 months values?
My result looks like:
Month Values
01-Jan-2018 1447
02-Feb-2018 1345
I want to calculate difference of 1447-1345
Try the delta command:
| makeresults
| eval A=10
| append
[| makeresults
| eval A=20 ]
| delta A
Don't forget to upvote useful comments
This search took too much time to run and finally it gave me 2 values by host and not by Month 😞