I have a query that calculates Batch logs from different time slots and shows the output using append command.But in the first time slot i'm getting a batch log which is not there in 2nd timeslot of the same query. In the output of the query after appending i'm not getting the logs that are appearing in only timeslot.
Query using
index=main sourcetype=xml "MSR*" earliest=-30d latest=-15d in the above query i'm getting MSR1451 batch in the output.
index=main sourcetype=xml "MSR*" earliest=-14d latest=now() in the above query, we are not getting that MSR1451 batch.
index=main sourcetype=xml "MSR*" earliest=-30d latest=-15d |fields jobName | eval marker="Before 15 days" | append [search index=main sourcetype=xml "MSR*" earliest=-30d latest=-15d |fields jobName | eval marker="After 15 days"] | stats count (eval(marker="Before 15 days")) AS Before 15 days, count (eval(marker="After 15 days")) AS After 15 days by JobName
In the above query i'm getting only the common jobs that are appearing in both the time slots. I need the jobs that are appearing in only one time slot also should be listed.
