How to subtract 2 metrics and show the value as 3rd metrics?

I have 2 metrics showing my application disconnects. 1 is the total disconnects of my application and the 2nd is manual disconnects performed by users. The difference between the 2 is expected to be "System/Unknown Disconnects".
For e.g. Total Disconnects = 10, Manual Disconnects = 6,
Expected Result - System / Unknown Disconnects = 4

I am calculating these numbers (Total / Manual) using the unique counts of my application file generation & some query to identify manual closure.

I am trying to display a metric with value as 4 for my team here, as today they have to calculate it before sharing the data to others. I tried using the timelion metrics, it gives me the lines/bars but i dont see any count anywhere. I have to count the number of lines/bars to get the count.

Can anyone please let me know how to achieve this ?

Hey @Sameer_Panicker TSVB allows you to do some math; however, in a somewhat constrained manner. Would you mind further elaborating on the structure of your ES documents, and I can see if there's a way to do what you're looking for?

There's also Vega, but this requires a non-trivial amount of effort to write Vega Visualizations.

I have attached my metrics query. Just to let you know at present there is no fields present that will give me these numbers.

Please let me know what info you will require as part of ES.

Hey @Sameer_Panicker. Those screenshots of your metric visualizations unfortunately don't provide enough information for me to advise further. Can you attach a sample Elasticsearch document or two and explain how you differentiate between the two categories?

@Brandon_Kobel - Please find the json data. Let me know if this works.

Both the metrics check for similar formats. The differentiating factor is the breezeEvents.Message.

{
"_index": "logstash-breeze-finesseclient-2019.10.25",
"_type": "log",
"_id": "33764717-3bae-4d0c-b494-34934e1f70fa",
"_version": 1,
"_score": null,
"_source": {
"ctxHost": "Z079",
"tags": [
"beats_input_raw_event"
],
"processID": 50356,
"application_name": "Breeze",
"@version": "1",
"occurredOn": "2019-10-25T10:47:11.3618108-05:00",
"host": {
"name": "AP01C"
},
"log": {
"format": "breeze_log",
"type": "breeze_log",
"file": {
"path": "E:\kibana\brz\logs\a0731e8d-c96c-439f-ac03-7f2c50050025.log"
}
},
"source_system_code": "BRZ",
"document_id": "33764717-3bae-4d0c-b494-34934e1f70fa",
"prospector": {
"type": "log"
},
"log.type": "breeze_log",
"input": {
"type": "log"
},
"@timestamp": "2019-10-25T15:49:03.955Z",
"application": "Breeze",
"sourceZipFilePath": "E:\Shared\Application Logs\Citrix\Breeze\10.25.2019\1467327\Z079\Logs.50356.10.48.38.zip",
"index": "logstash-breeze-finesseclient",
"logstash_timestamp": "2019-10-25T15:49:03.955Z",
"breezeEvents": {
"CurrentUser": "1467327",
"ErrorOccurred": "false",
"Message": "Breeze closed successfully."
},
"sourceZipFile": "Logs.50356.10.48.38",
"source": "E:\kibana\brz\logs\a0731e8d-c96c-439f-ac03-7f2c50050025.log",
"userName": "1467327",
"log_type": "breeze_log",
"beat": {}
},
"fields": {
"logstash_timestamp": [
"2019-10-25T15:49:03.955Z"
],
"@timestamp": [
"2019-10-25T15:49:03.955Z"
],
"sc-error-description": [
null
],
"sc-rs-code-int": [
0
],
"breezeEvents.ErrorTime": [
"2019-10-25T15:47:11.361Z"
],
"sc-error-code-type": [
null
],
"sc-rs-code-label": [
null
],
"occurredOn": [
"2019-10-25T15:47:11.361Z"
]
},
"highlight": {
"breezeEvents.Message.keyword": [
"@kibana-highlighted-field@Breeze closed successfully.@/kibana-highlighted-field@"
],
"application.keyword": [
"@kibana-highlighted-field@Breeze@/kibana-highlighted-field@"
]
},
"sort": [
1572018543955
]
}

@Brandon_Kobel - Any luck ?

@Sameer_Panicker unfortunately, this isn't currently supported in TSVB. If you can give https://github.com/elastic/kibana/issues/4707 a thumbs up or provide additional information regarding your specific needs, it'll help us prioritize appropriately.

Thanks @Brandon_Kobel

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.