Difference between two fields from two events base...

rohinisb91 · ‎09-02-2021

I have two events as below -

event 1

"id=1 api=xyz  apiResTime=50"

event 2

"id=1 api=xyz duration=200"

I want to plot the difference between duration and apiResTime by api.

So far i have tried this

index="my_index"
| search * "apiResponseTime"="*" | table "api", "apiResponseTime" | rename "api" as api1 | rename "apiResponseTime" as x 
| append [search * "duration"="*" | table "api", "duration" | rename "api" as api2 | rename "duration" as y ]
| eval api_match=if(match(api1, api2),1,0) //match the apis
| eval diff=if(api_match=1,y-x,y) // get the difference y-x on match
| table api1, api2, diff

But this is not giving me the required results. Any suggestions / pointers on how I can plot (timechart) the difference between (duration-apiResponseTime) by api. The above events can occur for multiple ids.

PickleRick · ‎09-02-2021

Firstly, don't use "index=something | search other_condition". Just use "index=something other condition".

First form returns all events from an index and then searches in them for the hits instead of searching for a subset in the first place. It's particularily significant with indexed fields.

But to the point - you can, for example, join two searches on common fields

<<search1>> |  join id api [ <<search 2>> ]

As a result of this you should get events containing fields from both searches. So you can do your eval diff=Duration-apiResTime.

There are other options but this one seems most straightforward.

Difference between two fields from two events based on condition

eval

join

subsearch

timechart

Updated Team Landing Page in Splunk Observability

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...