Code has been sanitized of identifying info, note this is filtering just on event code 200, but original search is filtered on both 200 and 201 event codes index=wineventlog source="WinEventLog:Application" (SourceName=ABC OR SourceName=DEF) Message="*$Projlookup$*" *$openfilter$* [ | inputlookup csvfile.csv | search Environment="$envlookup$" Hostname IN ( $hostname$) | fields Hostname Message EventCode | rename Hostname as host ] | search (EventCode=200) | stats count by EventCode   ... View more

Note you need to place source=OMITTED host="SERVER1" OR host="SERVER2" in parentheses; alternatively use IN operator.  Finding difference should not be that complicated. index=_internal earliest=-15mindex=OMITTED source=OMITTED host IN ("SERVER1", "SERVER2") | stats max(Value) as Value by host | stats max(Value) as max_of_two min(Value) as min_of_two | where max_of_two / min_of_two > 0.75 However, your OP says you want timechart.  That's why @richgalloway includes _time in groupby in that first stats.  But you can substitute the first stats with timechart to simplify this, then use the same technique in every row to find percent deviation. index=_internal earliest=-15mindex=OMITTED source=OMITTED host IN ("SERVER1", "SERVER2") | timechart span=1d max(Value) as Value by host | eventstats max(Value) as max_of_two min(Value) as min_of_two | where max_of_two / min_of_two > 0.75   ... View more

How are you measuring / detecting the value of the load? How often do you want to check? Over what period do you want to measure the load? ... View more