When I search for:
index=unix pool=general1 dom0stat42
| delta stolen_cpu_ticks as sct
| eval abssct=abs(sct)
| timechart sum(abssct) span=1m by hardware

I get:

_time a4-hpc1-1 a4-hpc1-2 a4-hpc1-3 a4-hpc1-5 a4-hpc1-6
1 9/30/11 8:34:00.000 AM 1449940 1710969 5285059 5107148 439020
2 9/30/11 8:35:00.000 AM 1449917 1711019 5285126 5107278 439015
3 9/30/11 8:36:00.000 AM 1449885 1711043 5285205 5107419 439037
4 9/30/11 8:37:00.000 AM 1449863 1711078 5285282 5107536 439029


Splunk is showing me the hardware correctly, but not the delta. When I search for a single peace of hardware with the following command, delta works.

index=unix pool=general1 dom0stat42 a4-hpc1-1
| delta stolen_cpu_ticks as sct
| eval abssct=abs(sct)
| timechart sum(abssct) span=1m


_time sum(abssct)
1 9/30/11 8:38:00.000 AM 149
2 9/30/11 8:39:00.000 AM 120
3 9/30/11 8:40:00.000 AM 127
4 9/30/11 8:41:00.000 AM 90


Any ideas/help would be greatly appreciated.