Transforms group by on 2 different data fields having same value

ashwani_perf · June 20, 2023, 12:19pm

Hi Team,

I am fairly new to Kibana and have run into a problem. I am trying to write a single transform which captures ingress and egress of a single event so that i can aggregate them by timestamp max and min and then calculate the time difference using data views.

However the problem is the group by data field at the ingress and egress which I generally use to pick the right entry and exit. In my case the values are same but the data field name is different.

e.g json.city.id : London and json.event.message.headers.city-id : London

Now since they are appearing with different name and using it under group by and then trying aggregating at timestamp.max and timestamp.min is not actually working. I am getting same timestamp min and max value as they appear to be taken from either entry or exit but not from both

Hendrik_Muhs · June 20, 2023, 1:08pm

Have a look at runtime fields, you can create a runtime field that either takes json.city.id or json.event.message.headers.city-id depending on what is set.

ashwani_perf · June 20, 2023, 1:34pm

Thanks @Hendrik_Muhs for coming back so quickly. I am a but naive in this area i can spot the runtime field editor in the transform but is it possible at all to post any sample please ?

system · July 18, 2023, 1:35pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.