I'm trying to get the difference between two values that share the same field name from two different sourcetypes that contain a field indicating a request has been completed.
A.
sourcetype=one AND event="FINISH" (the field that i'm interested in here would be responseTime)
B.
sourcetype=two AND event="COMPLETE" (again, looking for responseTime)
How do I plot the difference between responseTime A and responseTime B?
Hi jp28,
take this run everywhere example and get an idea how this can be done:
First I'm searching on two indexes
index=_internal OR index=_audit
bucket a time range
| bin _time span=1min
use evals to get different values from different source types
| stats max(eval(if(sourcetype=="splunkd", kbps, null()))) AS splunkd_value values(eval(if(sourcetype=="audittrail", date_hour, null()))) AS audittrail_value by _time
and finally graph them as a time chart with a difference line
| eval diff=audittrail_value-splunkd_value
| timechart span=10min max(diff) AS diff max(audittrial_value) AS audit max(splunkd_value) AS plunked
So the complete search is this:
index=_internal OR index=_audit
| bin _time span=1min
| stats max(eval(if(sourcetype=="splunkd", kbps, null()))) AS splunkd_value values(eval(if(sourcetype=="audittrail", date_hour, null()))) AS audittrail_value by _time
| eval diff=audittrail_value-splunkd_value
| timechart span=10min max(diff) AS diff max(audittrial_value) AS audit max(splunkd_value) AS splunkd
Hope this helps to get you started ...
cheers, MuS