Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Difference between two fields from two events based on condition

rohinisb91
Observer
‎09-02-2021 11:41 AM

I have two events as below -

event 1 

 

"id=1 api=xyz  apiResTime=50"

 

event 2

 

"id=1 api=xyz duration=200"

 

I want to plot the difference between duration and apiResTime by api.

So far i have tried this

 

index="my_index"
| search * "apiResponseTime"="*" | table "api", "apiResponseTime" | rename "api" as api1 | rename "apiResponseTime" as x 
| append [search * "duration"="*" | table "api", "duration" | rename "api" as api2 | rename "duration" as y ]
| eval api_match=if(match(api1, api2),1,0) //match the apis
| eval diff=if(api_match=1,y-x,y) // get the difference y-x on match
| table api1, api2, diff

 

But this is not giving me the required results. Any suggestions / pointers on how I can plot (timechart) the difference between (duration-apiResponseTime) by api. The above events can occur for multiple ids.

Labels (4)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎09-02-2021 12:30 PM

Firstly, don't use "index=something | search other_condition". Just use "index=something other condition".

First form returns all events from an index and then searches in them for the hits instead of searching for a subset in the first place. It's particularily significant with indexed fields.

But to the point - you can, for example, join two searches on common fields

<<search1>> |  join id api [ <<search 2>> ]

As a result of this you should get events containing fields from both searches. So you can do your eval diff=Duration-apiResTime.

There are other options but this one seems most straightforward.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Detection Engineering Office Hours: Real-World Troubleshooting & Q&A

[REGISTER HERE] This thread is for the Community Office Hours session on Detection Engineering Office Hours: ...

Developer Spotlight with Mika Borner

From Hackathon Winner to Enterprise Leader    Mika Borner, CEO and Founder of Datapunctum AG, has been ...

Continue Your Federation Journey: Join Session 3 of the Bootcamp Series

To help practitioners build a stronger foundation, we launched the Data Management & Federation ...