I've been exploring some data on Lens and got to the point where negative values ended up showing up on my data, I just want to pick the ones with "1" on it. I know that in canvas a simple "WHERE" would work but I don't know yet how to replicade it on Lens. Here is the image of the case:
And here is the formula I've been using:
count(kql='message.keyword : "successfully unregistered device on server "') - count(kql='message.keyword : "successfully registered device on server "')
I also tried by division and it really removes the negative values, but as you guys can see, there is some zeros and some of them are also null values. So I've been looking for a way to filter out everything.
While I don't know if it may help, I'll also describe what I'm using to make that info go into the cluster.
Filebeat is catching out logs and sending them into the cluster and once it reaches there it goes throught one ingest pipeline with grok. Here is the processor for it:
[
{
"grok": {
"field": "message",
"patterns": [
"%{TIMESTAMP_ISO8601:log_time} %{NOTSPACE:device_id} %{DATA:OS} %{GREEDYDATA:message}"
]
}
}
]
The situation is that everytime a "Unregistered" pop up we expect a "Registered" message to come a few milliseconds later, in case it doesn't happen we consider something did go wrong and need to see when it happened on a dashboard.
Here is the dashboard:
What I was doing so far was simply substracting the "Registered" out of the "Unregistered" so normal cases would send back 0 and anomalies would print what is left wrong.
The negative numbers means there were for a moment more values of "Registered" than "Unregistered", which is an anomaly but not a exactly a bad one so we aren't going deeper there.
If there is anyone who could help I'll be glad.
Best regards!