I am using the following query to retrieve events that I then display. I would like to add another column that is the difference between the two columns.
each log event has a field called app_elements={eventtype='event1','widget'='apple'), for example
The query:
index="aws" level="info" env="dev" earliest=-72h latest=-48h| spath input=app_elements | stats count by eventtype | eval Period="Before" | append [search index="aws" level="info" env="dev" earliest=-24h latest=now| spath input=app_elements | stats count by eventtype | eval Period="Now" ] | chart sum(count) over eventtype by Period
The current result:
eventtype Before Now
event1 10 20
event2 15 12
event3 22 20
event4 5 8
The desired result:
eventtype Before Now Difference
event1 10 20 10
event2 15 12 -3
event3 22 20 -2
event4 5 8 3
@jmalachoSPL64 Difference seems not consistent however is this what you are looking for?
<your_whole_search>
| eval Difference = Before - Now
| table eventype Before Now Difference
@jmalachoSPL64 Difference seems not consistent however is this what you are looking for?
<your_whole_search>
| eval Difference = Before - Now
| table eventype Before Now Difference
thanks venkatasri. I threw in a fillnull to zero out the events that don't occur on particular days and it looks great.