I am using the below query (server names replaced) to find when there is a greater than 50% difference in volume between 2 call routers (servers). For some reason im getting no timechart results, even when setting the difference to 1% which should always return results.
index=OMITTED source=OMITTED host="SERVER1" OR host="SERVER2"
| stats max(Value) as Value by host
| eventstats max(if(host='SERVER1', Value, null)) as server1_value max(if(host='SERVER2', Value, null)) as server2_value
| eval value_difference = abs(server1_value - server2_value)
| eval value_percentage_difference = if(coalesce(server1_value, server2_value) != 0, (value_difference / coalesce(server1_value, server2_value) * 100), 0)
| where value_percentage_difference > 1
| timechart avg(value_percentage_difference)
... View more