Subtract two counts

Hi everyone,

I'm writing this kind of data into elastic:

{'action': 'customer.created', 'user': 'john', '@timestamp': datetime.datetime(2019, 2, 25, 12, 43, 11, 691604)}
{'action': 'customer.deleted', 'user': 'john', '@timestamp': datetime.datetime(2019, 2, 25, 12, 44, 11, 691604)}

What I would like to do is to show the total amount of customer.created - customer.deleted so I know the net amount. The solution should work with the time scale (so if I view data over last year, I should see the total amount of customers for that year, if last week then the amount for last week, and so on)

I haven't been able to figure out how to do this, do I need scripted fields? InputJSON? Any pointers in the right correction would be welcome.

Bonus round: is there a way to sum all the data up unto the timeframe I'm viewing so I can get a real reflection of total number of customers at a certain time frame also?

Thanks for the help!

hi @Menso,

that's currently not possible in Kibana. It's similar to a HAVING clause in SQL, and kibana does not give you an option to perform maths on the result of an aggregation.

Elasticsearch has bucket-scripts, but these are not supported yet in Kibana (https://github.com/elastic/kibana/issues/4707)

Thanks for your reply. It seems this has been discussed and requested for over two years. Any idea when this might be implemented? Is it complicated to do or not enough people interested? It seems like rather basic functionality

The problem is you're trying to do behavioural analytics on an event-based index rather than an entity-centric index (where the entity would be a user).
The reason why this is hard and the solution is explained here