subtract value on Subquery

politrons · ‎01-12-2017

So basically I want to make a subquery where I can use the values founded in the first query to make a subtract from the second subquery

external_response=Time

so the idea is get the subquery sum all times for traceId and then subtract the external_time

Any idea how to accomplish this?

sourcetype="service_ppe" source="/var/log/httpClient*.log" | stats sum(time_ms) as external_response by trace_id | join external_response [search sourcetype="service_ppe" source="/var/log/request*.log" | stats sum(time_ms) as response by trace_id | eval price_response=(response - external_response) | timechart count(price_response) ]

Regards.

lguinn2 · ‎01-12-2017

The following search may be closer to what you want. However, you can't have a timechart at the end of this pipeline, because you have factored out _time in the stats commands. And you don't need a subsearch.

sourcetype="service_ppe" source="/var/log/httpClient*.log" OR source="/var/log/request*.log"
| eval type=if(match(source,"/var/log/request.*.log"),"response","external_response")
| chart sum(time_ms) by trace_id type
| eval price_response=response - external_response

For each trace_id, this calculates the sum of the time_ms. If the time_ms comes from the httpClient log, it is added to the external_response. If the time_ms comes from the request log, it is added to the response. Finally, the difference between the two is calculated for each trace_id. The resulting table will show the trace_id, external_response, response, and price_response.

If you want a timechart, exactly what do you want to see on the chart?

subtract value on Subquery

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...