So this seems to get me really close, but I dont seem to be pulling values for eval = case() - here are the updates I made to match my data:
index="ops" (sourcetype="apxtradeaudit3Q17" OR sourcetype="csv-EzeFactset")
| rename COMMENT as "Keep only the fields we want from either record type"
| fields Date, Symbol, Axys_ID, CUSIP, "Trade Date", Price, "Portfolio Code", Activity
| rename COMMENT as "Calculate fields that are changed or different from each other"
| eval vendorPrice=case(sourcetype="csv-EzeFactset", Price)
| eval Price=case(sourcetype="apxtradeaudit3Q17", Price)
| eval sodtimestamp=strptime(Date,"%Y%m%d")
| eval sodDate=strftime(sodtimestamp,"%1m/%1d/%Y")
| eval "Trade Date"=coalesce('Trade Date',sodDate)
| eval Symbol=coalesce(lower(Symbol),lower(Axys_ID))
| rename COMMENT as "roll values from audit records onto the app records, then drop the audit records"
| eventstats earliest(vendorPrice) as vendorPrice by Symbol "Trade Date"
| where sourcetype="apxtradeaudit3Q17"
| rename COMMENT as "calculate deltas and drop low deltas"
| eval delta=((vendorPrice-Price)/vendorPrice)*100
| eval absDelta=abs(delta)
| where absDelta>10
| rename COMMENT as "rename and present data"
| rename vendorPrice as "SoD Price"
| rename delta as "Actual % Change"
| rename absDelta as "Absolute Change"
| table "Portfolio Code" Activity "Trade Date" Symbol CUSIP Price "SoD Price" "Actual % Change" "Absolute Change"
I also found that i needed to convert the "Data" field for sourcetype="csv-EzeFactset" into time, and then into the sourcetype="apxtradeaudit3Q17" format so it would coalesce.
... View more