Compare two fields and achieve a left outer comparison

kelk · November 13, 2020, 8:07pm

I've following data

{ "index" : { "_index" : "host_compare", "_id" : "1" } }
{ "host_name" : "myhost2" , "host_count" : "10", "@timestamp": "2020-11-12T02:00:00Z" }
{ "index" : { "_index" : "host_compare", "_id" : "3" } }
{ "host_name" : "myhost2" , "host_count" : "20", "@timestamp": "2020-11-11T02:00:00Z" }
{ "index" : { "_index" : "host_compare", "_id" : "4" } }
{ "host_name" : "myhost3" , "host_count" : "20", "@timestamp": "2020-11-11T02:00:00Z" }
{ "index" : { "_index" : "host_compare", "_id" : "5" } }
{ "host_name" : "myhost4" , "host_count" : "20", "@timestamp": "2020-11-11T02:00:00Z" }

So its all in same index. I wanted to see if any host_name is not present on 2020-11-12, but was present on 2020-11-11. How is it possible to achieve this via DSL?

So my final outcome, I'm lookig for is something like.. (as host2 was present in both days)

   host_name   
---------------
myhost3        
myhost4

warkolm · November 17, 2020, 11:16pm

I don't believe there's a specific query to handle this. You should be able to do this with a Watch like this one though.

system · December 15, 2020, 11:16pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Compare values across two indicies Elasticsearch	1	134	November 30, 2023
Compare field value of two different index Elasticsearch	2	379	June 14, 2018
How to Compare two different fields value of two different index? Elasticsearch elastic-stack-alerting	18	13048	June 21, 2018
How to compare hostname field in two index and create a new fild with boolean value Elasticsearch	2	348	June 4, 2019
Need help to create a suspicious domains indicator (please)! Elasticsearch	2	352	August 2, 2018

Compare two fields and achieve a left outer comparison

Related topics