Please find the attached screenshot.!!
I am trying to create a new filed name -- 'msec different' and its value will be '0' when the event name is a start and 2nd value will be the difference of [2nd 'msecs' value - 3rd 'msecs' value] and goes on...
I want to do it in kibana only ..either by scripted field or you can also suggest any other way to do it.
Thanks
Hi,
I don't think that scripted fields are able to do this as scripted fields only have access to a single document.
I think this would be possible with LogStash:
Best regards
Wolfram
This should be possible using a transform, transform is a elasticsearch feature, but there is a kibana UI for it.
It seems you want to group_by execkey, the duration can be calculated as aggregation, however you need some scripting for that. We have an example for that in the docs. You need at least 7.5 for this, newer is better as the UI got a lot of enhancements with every new release.
In a nutshell the transform will create a 2nd index which you can further analyze, e.g. to get the average duration for all sessions, you can as well visualize the transformed data. Using the continuous mode, you can automatically transform new incoming data on the fly.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.
