https://community.splunk.com/t5/Splunk-Search/Join-searches-and-make-a-calculation/m-p/545618#M154589 <P>Firstly, you should add a time element to the stats e.g. 1h buckets or whatever you choose so long as they are the same for the two queries. This will give you a field to join on i.e. _time</P> Fri, 26 Mar 2021 14:56:41 GMT ITWhisperer 2021-03-26T14:56:41Z https://community.splunk.com/t5/Splunk-Search/Join-searches-and-make-a-calculation/m-p/545605#M154583 <P>I would like to run 2 searches and calculate the difference between 2 fields and plot the result using timechart&nbsp;</P><P>I have tested both these searches independently and it works fine.&nbsp;</P><P>I am trying this out</P><P>&nbsp; &nbsp; &lt;search A&gt;&nbsp;&nbsp;|&nbsp;stats count&nbsp; max(size) AS Users_Waiting | join [search &lt;search B&gt; | stats count as Daily_Users | streamstats sum(Daily_Users) as Cumulative_Users | timechart span=1d&nbsp;Cumulative_Users-Users_Waiting</P><P>So basically, I want to take the count of first search which is&nbsp;<STRONG>Users_Waiting</STRONG></P><P>Take the count of 2nd search which is&nbsp;<STRONG>Cumulative_Users</STRONG></P><P>Draw a timechart with (<STRONG>Cumulative_Users -&nbsp;Users_Waiting</STRONG>)<BR /><BR /></P><P>Is my approach correct ?</P> Fri, 26 Mar 2021 14:28:14 GMT https://community.splunk.com/t5/Splunk-Search/Join-searches-and-make-a-calculation/m-p/545605#M154583 balash1979 2021-03-26T14:28:14Z https://community.splunk.com/t5/Splunk-Search/Join-searches-and-make-a-calculation/m-p/545610#M154584 <P>The join will attempt to join with common fields - there are no common fields between your two queries.</P><P>The timechart needs a time element to work with - both queries remove this in their stats commands.</P><P>It is not clear where your second query finishes as there is no closing square bracket.</P> Fri, 26 Mar 2021 14:41:35 GMT https://community.splunk.com/t5/Splunk-Search/Join-searches-and-make-a-calculation/m-p/545610#M154584 ITWhisperer 2021-03-26T14:41:35Z https://community.splunk.com/t5/Splunk-Search/Join-searches-and-make-a-calculation/m-p/545613#M154585 <P>Sorry if i wasnt very clear.</P><P>This is search1&nbsp;<BR /><SPAN>&lt;search A&gt;&nbsp;&nbsp;|&nbsp;stats count&nbsp; max(size) AS Users_Waiting&nbsp;</SPAN></P><P>This is search 2<BR /><SPAN>&nbsp;join [search &lt;search B&gt; | stats count as Daily_Users | streamstats sum(Daily_Users) as Cumulative_Users&nbsp;<BR /></SPAN><BR />Is there a way to do&nbsp;<SPAN><STRONG>Cumulative_Users-Users_Waiting (</STRONG>basically difference between these 2 numbers) and then timechart the difference ?<BR />Yes, I dont have any common fields between the 2 searches.</SPAN></P><P>&nbsp;</P> Fri, 26 Mar 2021 14:51:32 GMT https://community.splunk.com/t5/Splunk-Search/Join-searches-and-make-a-calculation/m-p/545613#M154585 balash1979 2021-03-26T14:51:32Z https://community.splunk.com/t5/Splunk-Search/Join-searches-and-make-a-calculation/m-p/545615#M154587 <P>The <FONT face="courier new,courier">join</FONT> command works best when the two searches have common fields.&nbsp; This example has no common fields.&nbsp; What's more, <FONT face="courier new,courier">join</FONT> is inefficient and not needed in this case.&nbsp; Also, the <FONT face="courier new,courier">timechart</FONT> command requires the _time field, but it is stripped out by <FONT face="courier new,courier">stats</FONT>.&nbsp; Additionally, the <FONT face="courier new,courier">timechart</FONT> command cannot calculate the difference between two fields.</P><P>Try combining the searches with <FONT face="courier new,courier">append</FONT> then merging the results by time.&nbsp; Use <FONT face="courier new,courier">eval</FONT> to compute difference before invoking <FONT face="courier new,courier">timechart</FONT>.</P><LI-CODE lang="markup">&lt;search A&gt; | bin span=1d _time | stats count max(size) AS Users_Waiting by _time | append [search &lt;search B&gt; | bin span=1d _time | stats count as Daily_Users by _time | streamstats sum(Daily_Users) as Cumulative_Users ] | stats values(*) as * by _time | eval Users_Not_Waiting = Cumulative_Users - Users_Waiting | timechart span=1d Users_Not_Waiting</LI-CODE><P>&nbsp;</P> Fri, 26 Mar 2021 14:54:57 GMT https://community.splunk.com/t5/Splunk-Search/Join-searches-and-make-a-calculation/m-p/545615#M154587 richgalloway 2021-03-26T14:54:57Z https://community.splunk.com/t5/Splunk-Search/Join-searches-and-make-a-calculation/m-p/545618#M154589 <P>Firstly, you should add a time element to the stats e.g. 1h buckets or whatever you choose so long as they are the same for the two queries. This will give you a field to join on i.e. _time</P> Fri, 26 Mar 2021 14:56:41 GMT https://community.splunk.com/t5/Splunk-Search/Join-searches-and-make-a-calculation/m-p/545618#M154589 ITWhisperer 2021-03-26T14:56:41Z