Here is what I'm trying to do:
I have two events- both have the field 'requestId'. One of them has the field 'processTime' and another has the field 'operation'. I need to correlate the two using 'requestId'. My goal is to find out 'processTime' for each 'operation'.
eg.
requestId | processTime
1234 | 78.3
requestId | operation
1234 | clean
What I'm looking for is this:
table operation, processTime
clean 78.3
(Well, I can continue to use requestId, but would like to do some aggregation at this point)
I tried to do a subsearch like this, but the field 'operation' is not available for the outer query.
"requestId processTime [search requestId operation | fields + requestId, operation] | table operation, processTime
I tried map, append, appendcols, join, but didn't get it to work.
Appreciate any help.
Thanks
It's probably a better idea to use stats
or transaction
.
stats
:
... | stats first(operation) as operation, first(processTime) as processTime by requestId | fields - requestId
transaction
:
... | transaction requestId | table operation processTime