I want to get the difference the events. Please find the below.
Eg:
Field1 Field2 Field3 Diff
ABC 200 CCBA 0
DEF 500 DFDG 0
ABC 600 WERT 400
DEF 200 ERTY -100
ABC 800 WERT 200
DEF 700 ERTY 500
How do I can get the result like the above.?
Efficiency is bad because we perform the same search twice using JOIN. Since we are using sub search, there is a default number limit.
(your search)
|streamstats count as key by Field1
|join type=left Field1,key
[search (your search)|table Field1 Field2|streamstats count as key by Field1|eval key=key-1
|rename Field2 as bf_Field2]
|eval Diff=Field2-bf_Field2| fillnull value=0 Diff
|table Field1 Field2 Field3 Diff