My log messages have two fields I'd like to search on: engineElapsed and serviceElapsed. I'm interested in looking at all the records where engineElapsed - serviceElapsed > 1.
I'm new to Splunk, and have discovered I can do do something like this:
* | eval time=engineElapsed-serviceElapsed | timechart avg(time) by user
But since I need to see individual log messages, something like this might be more suited -- if it worked, that is:
eval(engineElapsed-serviceElapsed)
Help would be appreciated 🙂
