Compare two fields and achieve a left outer comparison

kelk · November 13, 2020, 8:07pm

I've following data

{ "index" : { "_index" : "host_compare", "_id" : "1" } }
{ "host_name" : "myhost2" , "host_count" : "10", "@timestamp": "2020-11-12T02:00:00Z" }
{ "index" : { "_index" : "host_compare", "_id" : "3" } }
{ "host_name" : "myhost2" , "host_count" : "20", "@timestamp": "2020-11-11T02:00:00Z" }
{ "index" : { "_index" : "host_compare", "_id" : "4" } }
{ "host_name" : "myhost3" , "host_count" : "20", "@timestamp": "2020-11-11T02:00:00Z" }
{ "index" : { "_index" : "host_compare", "_id" : "5" } }
{ "host_name" : "myhost4" , "host_count" : "20", "@timestamp": "2020-11-11T02:00:00Z" }

So its all in same index. I wanted to see if any host_name is not present on 2020-11-12, but was present on 2020-11-11. How is it possible to achieve this via DSL?

So my final outcome, I'm lookig for is something like.. (as host2 was present in both days)

   host_name   
---------------
myhost3        
myhost4

warkolm · November 17, 2020, 11:16pm

I don't believe there's a specific query to handle this. You should be able to do this with a Watch like this one though.

system · December 15, 2020, 11:16pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.