Hi,
I'm trying to create metric in Kibana dashboard(Lens), where i will see difference between two different fields (events_passed - events_all) (subtraction)
That fields are available in two different documents
Can i make some aggregation? to calculate difference?
I'm able to get required fields by two queries
events_all :
{
"_source": ["events_all"],
"query": {
"bool": {
"must": [],
"filter": [
{
"range": {
"@timestamp": {
"format": "strict_date_optional_time",
"gte": "now-15m",
"lte": "now"
}
}
},
{
"match_phrase": {
"app_name": "app1"
}
},
{
"match_phrase": {
"imsi_prefix": "00002"
}
}
]
}
}
}
events_passed
{
"size": 1,
"_source": ["events_passed"],
"query": {
"bool": {
"must": [],
"filter": [
{
"range": {
"@timestamp": {
"format": "strict_date_optional_time",
"gte": "now-15m",
"lte": "now"
}
}
},
{
"match_phrase": {
"app_name": "app1"
}
},
{
"exists": {
"field": "events_passed"
}
}
],
"should": [],
"must_not": []
}
}
}
Sample docs
{
"_index": "app1_log-001745",
"_type": "_doc",
"_id": "KKha9oQBIhZIlNHKrDlX",
"_version": 1,
"_score": 1,
"_source": {
"app_name": "app1",
"events_all": "14928046",
"@version": "1",
"executed_time": 7.331166666666666,
"events_rejected": "5869684",
"events_passed": "9058362", - Field1
"log_level": "INFO"
}
}
{
"_index": "app_log-001745",
"_type": "_doc",
"_id": "7C6R9oQBIhZIlNHK1xU7",
"_version": 1,
"_score": 1,
"_source": {
"imsi_prefix": "00002",
"log_level": "DEBUG",
"app_name": "app1",
"events_all": "8252891", - Field2
"@version": "1",
}
}
Expected result : 9058362(Field1) - 8252891(Field2) = 805471
How can I deal with it ?
Elasticsearch/Kibana 7.16
Regards