I have 2 events having fields
1. id_cse_event: sqsmessageid,timestamp
2. Scim: sqs_message_id, timestamp.
I want to search all the messages published by id_cse_events in scim using messageid, then find the difference between the time stamps
This is the query i have wrote:
sourcetype=id-cse-events
| where isnotnull(sqsMessageId)
| eval sqsmsgid=sqsMessageId
| eval id_cse_time=timeStamp
| table sqsmsgid, id_cse_time
| map
[search sourcetype=scim |fields line.message.sqs_message_id, line.timestamp|search line.message.sqs_message_id="$sqsmsgid$"
| eval time_diff_in_seconds=strptime(id_cse_time,"%Y-%m-%dT%H:%M:%S")-strptime(line.timestamp,"%Y-%m-%dT%H:%M:%S") ]maxsearches=9999
| table line.message.sqs_message_id,time_diff_in_seconds
id_cse_time= 2023-01-27T09:55:45.970831Z
scim timestamp = 2023-01-27T08:24:28.601+0000
The events are getting matched, but i don't see any table with messageid and timediff.
Can anyone help?
Rather than using map, try gathering the events with stats
sourcetype=id-cse-events OR sourcetype=scim
| eval sqsmsgid=coalesce(sqsMessageId,line.message.sqs_message_id)
| stats values(timeStamp) as id_cse_time values(line.timestamp) as line_timestamp by sqsmsgid
| eval time_diff_in_seconds=strptime(id_cse_time,"%Y-%m-%dT%H:%M:%S")-strptime(line.timestamp,"%Y-%m-%dT%H:%M:%S")
| table sqsmsgid,time_diff_in_seconds
Rather than using map, try gathering the events with stats
sourcetype=id-cse-events OR sourcetype=scim
| eval sqsmsgid=coalesce(sqsMessageId,line.message.sqs_message_id)
| stats values(timeStamp) as id_cse_time values(line.timestamp) as line_timestamp by sqsmsgid
| eval time_diff_in_seconds=strptime(id_cse_time,"%Y-%m-%dT%H:%M:%S")-strptime(line.timestamp,"%Y-%m-%dT%H:%M:%S")
| table sqsmsgid,time_diff_in_seconds
With this query i can only see the timestamps of id_cse_events not for the scim
Please can you share some events from both sourcetypes (anonymised of course), preferably in code blocks </> to prevent information being removes by the formatting process.