My log messages have two fields I'd like to search on: engineElapsed and serviceElapsed. I'm interested in looking at all the records where engineElapsed - serviceElapsed > 1.

I'm new to Splunk, and have discovered I can do do something like this:

* | eval time=engineElapsed-serviceElapsed | timechart avg(time) by user

But since I need to see individual log messages, something like this might be more suited -- if it worked, that is:

eval(engineElapsed-serviceElapsed)

Help would be appreciated 🙂