I have two events as below - event 1 "id=1 api=xyz apiResTime=50" event 2 "id=1 api=xyz duration=200" I want to plot the difference between duration and apiResTime by api. So far i have tried this index="my_index"
| search * "apiResponseTime"="*" | table "api", "apiResponseTime" | rename "api" as api1 | rename "apiResponseTime" as x
| append [search * "duration"="*" | table "api", "duration" | rename "api" as api2 | rename "duration" as y ]
| eval api_match=if(match(api1, api2),1,0) //match the apis
| eval diff=if(api_match=1,y-x,y) // get the difference y-x on match
| table api1, api2, diff But this is not giving me the required results. Any suggestions / pointers on how I can plot (timechart) the difference between (duration-apiResponseTime) by api. The above events can occur for multiple ids.
... View more