Solved: Re: Calculating math on three different searches

labaningombam · ‎11-29-2023

Hi,

I need to write a query to find the time remaining to consume events.

index=x message.message="Response sent" message.feedId="v1" | stats count as Produced

index=y | spath RenderedMessage | search RenderedMessage="*/v1/xyz*StatusCode*2*"| stats count as Processed

index=z message.feedId="v1" | stats avg("message.durationMs") as AverageResponseTime

So I want to basically perform:
Average Time left = Produced - Processed /AverageResponseTime

How can I go about doing this?

Thank you so much

ITWhisperer · ‎11-30-2023

You could try something like this

index=x message.message="Response sent" message.feedId="v1" | stats count as Produced
| appendcols [ search index=y | spath RenderedMessage | search RenderedMessage="*/v1/xyz*StatusCode*2*"| stats count as Processed]
| appendcols [ search index=z message.feedId="v1" | stats avg("message.durationMs") as AverageResponseTime]
| eval AverageTimeLeft = (Produced - Processed) * AverageResponseTime

Note that I think your calculation should be a multiplication not a division

View solution in original post

labaningombam · ‎11-30-2023

Thank you so much for the correction as well 🙂

This worked.

ITWhisperer · ‎11-30-2023

You could try something like this

index=x message.message="Response sent" message.feedId="v1" | stats count as Produced
| appendcols [ search index=y | spath RenderedMessage | search RenderedMessage="*/v1/xyz*StatusCode*2*"| stats count as Processed]
| appendcols [ search index=z message.feedId="v1" | stats avg("message.durationMs") as AverageResponseTime]
| eval AverageTimeLeft = (Produced - Processed) * AverageResponseTime

Note that I think your calculation should be a multiplication not a division

Calculating math on three different searches

data

field extraction

Data Management Digest – December 2025

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Join the Conversation