We have 2 types of orders in the system, some are entered manually by phone and some are processed automatically as they are fed by other systems.
The way I can differentiate is by the order timestamps:
Phone orders do not contain miliseconds in the order timestamp (2022-09-16T17:07:41Z)
Orders filled automatically by other systems contain miliseconds (2022-09-16T16:22:28.573Z)
I am calculating the processing delays on these orders but I want to display the results on 2 rows:
1. Phone orders max delays
2. System orders max delays
Here is what I am using now:
MySearch | rex field=_raw "(?ms)^(?:[^ \\n]* ){9}\"(?P<TradeDateTS>[^\"]+)" offset_field=_extracted_fields_bounds | rex field=_raw "^(?:[^ \\n]* ){7}\"(?P<StoreTS>[^\"]+)" offset_field=_extracted_fields_bounds0 | eval Delay = (strptime(StoreTS, "%Y-%m-%dT%H:%M:%S.%N"))-(strptime(TradeDateTS, "%Y-%m-%dT%H:%M:%S.%N"))
| stats max(Delay)
Note: the goal is not to add or remove the miliseconds information
Differentiating the timestamps is just a matter of looking for those with a "." in them.
MySearch | rex field=_raw "(?ms)^(?:[^ \\n]* ){9}\"(?P<TradeDateTS>[^\"]+)"
| rex field=_raw "^(?:[^ \\n]* ){7}\"(?P<StoreTS>[^\"]+)"
| eval Delay = (strptime(StoreTS, "%Y-%m-%dT%H:%M:%S.%N"))-(strptime(TradeDateTS, "%Y-%m-%dT%H:%M:%S.%N"))
| eval orderType=if(match(TradeDateTS, "\."), "auto", "phone")
| stats max(Delay) by orderType
Differentiating the timestamps is just a matter of looking for those with a "." in them.
MySearch | rex field=_raw "(?ms)^(?:[^ \\n]* ){9}\"(?P<TradeDateTS>[^\"]+)"
| rex field=_raw "^(?:[^ \\n]* ){7}\"(?P<StoreTS>[^\"]+)"
| eval Delay = (strptime(StoreTS, "%Y-%m-%dT%H:%M:%S.%N"))-(strptime(TradeDateTS, "%Y-%m-%dT%H:%M:%S.%N"))
| eval orderType=if(match(TradeDateTS, "\."), "auto", "phone")
| stats max(Delay) by orderType