Re: Difference between two fields from two events ...

rohinisb91 · ‎09-02-2021

I have two events as below -

event 1

"id=1 api=xyz  apiResTime=50"

event 2

"id=1 api=xyz duration=200"

I want to plot the difference between duration and apiResTime by api.

So far i have tried this

index="my_index"
| search * "apiResponseTime"="*" | table "api", "apiResponseTime" | rename "api" as api1 | rename "apiResponseTime" as x 
| append [search * "duration"="*" | table "api", "duration" | rename "api" as api2 | rename "duration" as y ]
| eval api_match=if(match(api1, api2),1,0) //match the apis
| eval diff=if(api_match=1,y-x,y) // get the difference y-x on match
| table api1, api2, diff

But this is not giving me the required results. Any suggestions / pointers on how I can plot (timechart) the difference between (duration-apiResponseTime) by api. The above events can occur for multiple ids.

PickleRick · ‎09-02-2021

Firstly, don't use "index=something | search other_condition". Just use "index=something other condition".

First form returns all events from an index and then searches in them for the hits instead of searching for a subset in the first place. It's particularily significant with indexed fields.

But to the point - you can, for example, join two searches on common fields

<<search1>> |  join id api [ <<search 2>> ]

As a result of this you should get events containing fields from both searches. So you can do your eval diff=Duration-apiResTime.

There are other options but this one seems most straightforward.

Difference between two fields from two events based on condition

eval

join

subsearch

timechart

Index This | I’m short for "configuration file.” What am I?

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Your Guide to SPL2 at .conf24!