I am running 7.9.1 and am trying to perform math with 2 variables like below. Is this possible?
filters
| timefilter field="@timestamp" from="now-1d" to="now"
| var_set name="completed" value={escount index="index_1" query="thisField:test AND status:completed"}
| var_set name="sent" value={escount index="index_1" query="thisField:test AND status:sent"}
| math "completed / sent"
Hi, welcome back! It looks like you are trying to do what we would call a "filter ratio".
Honestly, I think string concatenation is the easiest way to do this.
var_set name="errors" value=10
| var_set name="total" value=100
| math {string value={var "errors"} value=" / " value={var "total"}}
This is because the math function typically works using data tables, but we don't have a nice function to create tables in Canvas.
Thanks for the welcome back and the response. I am able to get part of the way there now.
var_set name="completed" value={escount index="index_1" query="thisField:test AND status:completed"}
| var_set name="sent" value={escount index="index_1" query="thisField:test AND status:sent"}
| math {string value={var "completed"} value=" / " value={var "sent"}}
However, if I want to restrict the result from the queries to the last 24 hours it won't work. How can I apply the timefilter that i specified in my original post?
One thing that is not obvious is the way that parameters are passed into datasources in sub-expressions. For example, the filters is implicitly sent into escount here:
filters
| var_set name="completed" {/* implicit filters | */ escount}
But then when you have two var_set calls in a row, the same behavior causes an error:
var_set name="completed" value=0
| var_set name="sent" value={escount}
Putting this together, you need to create the full chain of datafetching at each subexpression level.
In this case I also used a time filter control, but you can do it either way:
timefilterControl compact=true column="@timestamp" filterGroup="myGroup"
| render
var_set name="completed" value={filters | timefilter filterGroup="myGroup" | escount index="kibana_sample_data_logs" query="bytes:[100 TO *]"}
| var_set name="sent" value={filters | timefilter filterGroup="myGroup" | escount index="kibana_sample_data_logs" query="*"}
| math {string {var "completed"} " / " {var "sent"}}
Wylie, thank you for the help and I now have things working. I'll figure out the expression language at some point. 
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.