Hi
I have two values that i need to check which one of them is bigger and calculate the gap between them
how can i do it ?
i tried this :
| rex "Current temp Front block = (?<Front>.+)" | rex "Current temp Rear block = (?<Rear>.+)"|eval gap=coalesce(Front>Rear, Front-Rear, Rear-Front) |table Front Rear gap
But gap is returning empty
Assuming you have serialnumber, Front and Rear extracted, just add the following to your search:
| stats max(Front) as Front max(Rear) as Rear by _time,serialnumber | eval delta=abs(Front-Rear)
The stats command combines the two rows with same time and serialnumber, the eval calculates the delta (using abs, so result is always positive and you don't need to first check which one is bigger).
A search incl. your sample data to demonstrate it works:
| makeresults | eval serialnumber=570123 | eval Front=2788
| append [ | makeresults | eval serialnumber=570123 | eval Rear=2797 ]
| append [ | makeresults | eval serialnumber=570123 | eval Front=2789 | eval _time=_time+60 ]
| append [ | makeresults | eval serialnumber=570123 | eval Rear=2797 | eval _time=_time+60 ]
| stats max(Front) as Front max(Rear) as Rear by _time,serialnumber | eval delta=abs(Front-Rear)
this is the result i got :
Front Rear _raw _time closed_txn count duration eventcount field_match_sum linecount
12 2019-03-24 16:28:11 0 12 0 1 1 1
11 10
2019-03-24 16:27:11 0
10
11
0 2 2 2
9 8
2019-03-24 16:26:11 0
8
9
0 2 2 2
7 6
2019-03-24 16:25:11 0
6
7
0 2 2 2
no idea what is going on there
maybe you can explain to me the search command ?