Hi jp28,

take this run everywhere example and get an idea how this can be done:
First I'm searching on two indexes

index=_internal OR index=_audit 

bucket a time range

| bin _time span=1min 

use evals to get different values from different source types

| stats max(eval(if(sourcetype=="splunkd", kbps, null()))) AS splunkd_value values(eval(if(sourcetype=="audittrail", date_hour, null()))) AS audittrail_value by _time 

and finally graph them as a time chart with a difference line

| eval diff=audittrail_value-splunkd_value 
| timechart span=10min max(diff) AS diff max(audittrial_value) AS audit max(splunkd_value) AS plunked

So the complete search is this:

index=_internal OR index=_audit 
| bin _time span=1min 
| stats max(eval(if(sourcetype=="splunkd", kbps, null()))) AS splunkd_value values(eval(if(sourcetype=="audittrail", date_hour, null()))) AS audittrail_value by _time 
| eval diff=audittrail_value-splunkd_value 
| timechart span=10min max(diff) AS diff max(audittrial_value) AS audit max(splunkd_value) AS splunkd

Hope this helps to get you started ...

cheers, MuS