Hi all,
We have two reverse proxies, one front, one back. They both log http requests and responses to the same index. Each request has a unique-ID that is the same on the front and back. I would like to correlate the front and back requests with the same unique-ID. So the two searches are something like this:
index=rpx proxy=front unique_id=*
index=rpx proxy=back unique_id=*
Log lines would then look something like this (shortened for brevity):
proxy=front, unique_id=123456, time_taken=2ms
proxy=back, unique_id=123456, time_taken=5ms
My goal is to have the delta time of the time_taken field and then display it in for instance a timechart avg. Maybe I should do the one search and correlate from the time_taken field from there?
without a dataset it's little bit complicated but you have to use this logic
index=rpx unique_id=* proxy=front OR proxy=back
| eval time_taken_back=if(proxy="back",time_taken,""), time_taken_front=if(proxy="front",time_taken,""),unique_id_back=if(proxy="back",unique_id,""), unique_id_front=if(proxy="front",unique_id,"")
| eval delta=if(unique_id_back=unique_id_front,time_taken_back-time_taken_front,"")
| stats values(delta) as delta by unique_id,_time
Thanks I will try it out and report back 🙂