Ok folks, here's a doozy.

Two sets of data, first set of data is needs to be evaluated by a transaction to group a long log together.

index="main" sourcetype=APPPERF | transaction maxspan=0s startswith="Transaction arrived:" endswith="Sent transaction" | search Transaction_Name="App Test Script" | timechart span=10m values(Duration) by Transaction_Name

From this search I can get the "Duration" that the App Test Script took.. great!

My second set of data is bandwidth related.

index=nagios | sort _time| delta inAbsolut as inabs_change| delta outAbsolut as outabs_change| where inabs_change>=0| where outabs_change>=0| eval inkilobits=(inabs_change*8/1000)| eval outkilobits=(outabs_change*8/1000)| timechart span=1m per_second(inkilobits) as in_kbps, per_second(outkilobits) as out_kbps

From this search (found on splunkbase) I am getting my firewall current bandwidth. I've been somewhat successful joining these two together by _time, but my problem with that is that my bandwidth polling and app perf polling are not in sync, so I may only get 2 or 3 records to match.

I'm open to any suggestions on how to get these two data sets into a timechart.