take this run everywhere command as example:
index=_internal | stats sum(kb) AS KB sum(kbps) AS KBPS | eval diff=KB-KBPS
You frist have to
sum() your fields (here it is
kbps) and then evaluate the difference.
Hope this helps ...
I tried is already before getting mad with the other term.
When I do as you suggest the stats it gives me always only the sums for field1 and field2.
"Difference12" is not shown as the expected single value in the stats-tab of the results even though it should be the
singular result of the term.
Stats always only shows field1 and field2.
Currently Field2 is all time NULL could that cause an issue?
Yes, if the value of a field is always NULL, the stats will return NULL for the Field2 and subsequent diff will also be NULL.
Try something like this
Your base search | stats sum(Field1) AS Field1 sum(Field2) AS Field2 | fillnull value=0 Field2 | eval Difference12 =Field1 -Field1
this will not work, because
sum() is not an eval function, but the other way around it will work (run everywhere example):
index=_internal | timechart sum(eval(kb-kbps)) AS diff
But I doubt this will be the correct result, because it will not calculate the total difference. On the other hand the use case is not 100% clear so maybe it could work 😉