I have logs of following pattern, and want a time chart to track the per project field delta trend. As the change is small, visually delta makes more sense then actual value as a vertical bar.
[Feb 21 15:50:00 CST 2016] Project=A field_1=100 field_2=200 field3=302
[Feb 21 15:50:00 CST 2016] Project=B field_1=100 field_2=305 field3=300
[Feb 21 15:50:00 CST 2016] Project=C field_1=100 field_2=200 field3=304
[Feb 22 15:50:00 CST 2016] Project=A field_1=101 field_2=204 field3=305
[Feb 22 15:50:00 CST 2016] Project=B field_1=104 field_2=300 field3=300
[Feb 22 15:50:00 CST 2016] Project=C field_1=100 field_2=200 field3=303
[Feb 23 15:50:00 CST 2016] Project=A field_1=102 field_2=200 field3=301
[Feb 23 15:50:00 CST 2016] Project=B field_1=105 field_2=303 field3=300
[Feb 23 15:50:00 CST 2016] Project=C field_1=100 field_2=200 field3=307
Try something like this
your current search giving fields _time Project field_1 field_2 field_3 | sort 0 Project _time| streamstats current=f window=1 values(field_*) as prev* by Project | eval delta1=if(isnull(prev1),0,field_1-prev1) | eval delta2=if(isnull(prev2),0,field_2-prev2) | eval delta3=if(isnull(prev3),0,field_3-prev3) | timechart span=1d values(delta1) as delta1 values(delta2) as delta2 values(delta3) as delta3 by Project