I am running a query where I'm trying to calculate the difference between the start and end times a request travels through a service (aka latency). In order to achieve this I search for two logs: one for the start, one for the end, I then subtract the start and end times, and finally do a group by X_Request_ID-which is unique per request. What I have at this point is:

What I want to do now is to only display the count of all requests that took over 1 second. 

My attempt at this looks like:

index=prod component="card-notification-service" eventCategory=transactions eventType=auth AND ("is going to process" OR ("to POST https://apay-partner-api.apple.com/ccs/v1/users/eventNotification/transactions/auth" AND status=204))

| eval diff=if(searchmatch("is going to process"), _time*-1, 0)

| eval Start=if(searchmatch("is going to process"), _time, NULL)

| eval diff=if(searchmatch("to POST https://app.transactions/auth"), diff+_time, diff)

| eval End=if(searchmatch("to POST https://app.transactions/auth"), _time, NULL) | eval seriesName="Baxter<->Saturn

| streamstats sum(diff) by X_Request_ID as FinalDiff |where FinalDiff> 1.0 

| timechart span=5m partial=f count by seriesName

I’ve gotten everything to compile fine before the bolded where clause above. I suspect it’s because in the streamstats command prior, the “as” is only naming the query and not persisting the grouping of the query. Regardless this leads me to the question I am trying to solve: How can I persist sum(diff) after grouping it by X_Request_ID so that in the next pipe I can perform a comparison in the where operation?