Blockquote
I have similar json input as below, every minute similar blocks of data is send to index.

I am plotting timechart using below query, this avg is working fine, its averaging row1 of event1 and row1 of event2, similarly for all:
index="naveentest2" |fields sid,did,lun,readiobyte,readiotime |eval result = readiobyte / readiotime|eval combination=sid."-".did."-".lun | timechart span=30 avg(result) as AVG usenull=f by combination

but here i need a diff between two sets of values means the first line of event 2- first line of event 1,first line of event 3- first line of event 2,first line of event 4- first line of event 3,
similarly for other lines.
and i dont need the avg() function in the timechart below, only the result should get printed

index="naveentest2" |fields sid,did,lun,readiobyte,readiotime |eval result = (readiobyte2-readiobyte1) / (readiotime2-readiotime1)|eval combination=sid."-".did."-".lun | timechart span=30 avg(result) as AVG usenull=f by combination

the time difference between each event is 30sec,event1(bunch of data as below),event2(bunch of data as below) similarly event3, event4...

--event 1 - all records going at once
{"sid": "s1", "did": "d1","lun": "l1","readiobyte":"100","readiotime":"10","iocompletetime":"2","Timestamp": "2018-03-24 06:12:53"}
{"sid": "s1", "did": "d1","lun": "l2","readiobyte":"400","readiotime":"15","iocompletetime":"10","Timestamp": "2018-03-24 06:12:53"}
{"sid": "s1", "did": "d1","lun": "l3","readiobyte":"50","readiotime":"10","iocompletetime":"2","Timestamp": "2018-03-24 06:12:53"}
{"sid": "s1", "did": "d1","lun": "l4","readiobyte":"100","readiotime":"20","iocompletetime":"20","Timestamp": "2018-03-24 06:12:53"}
{"sid": "s1", "did": "d1","lun": "l5","readiobyte":"10","readiotime":"5","iocompletetime":"1","Timestamp": "2018-03-24 06:12:53"}
{"sid": "s1", "did": "d1","lun": "l6","readiobyte":"50","readiotime":"2","iocompletetime":"2","Timestamp": "2018-03-24 06:12:53"}
{"sid": "s2", "did": "d1","lun": "l1","readiobyte":"150","readiotime":"30","iocompletetime":"2","Timestamp": "2018-03-24 06:12:53"}
{"sid": "s2", "did": "d1","lun": "l2","readiobyte":"100","readiotime":"15","iocompletetime":"2","Timestamp": "2018-03-24 06:12:53"}
{"sid": "s2", "did": "d1","lun": "l3","readiobyte":"100","readiotime":"20","iocompletetime":"1","Timestamp": "2018-03-24 06:12:53"}

--event 2 all records going at once
{"sid": "s1", "did": "d1","lun": "l1","readiobyte":"120","readiotime":"20","iocompletetime":"2","Timestamp": "2018-03-24 06:13:23"}
{"sid": "s1", "did": "d1","lun": "l2","readiobyte":"500","readiotime":"50","iocompletetime":"5","Timestamp": "2018-03-24 06:13:23"}
{"sid": "s1", "did": "d1","lun": "l3","readiobyte":"150","readiotime":"10","iocompletetime":"1","Timestamp": "2018-03-24 06:13:23"}
{"sid": "s1", "did": "d1","lun": "l4","readiobyte":"120","readiotime":"30","iocompletetime":"30","Timestamp": "2018-03-24 06:13:23"}
{"sid": "s1", "did": "d1","lun": "l5","readiobyte":"15","readiotime":"2","iocompletetime":"1","Timestamp": "2018-03-24 06:13:23"}
{"sid": "s1", "did": "d1","lun": "l6","readiobyte":"70","readiotime":"5","iocompletetime":"2","Timestamp": "2018-03-24 06:13:23"}
{"sid": "s2", "did": "d1","lun": "l1","readiobyte":"180","readiotime":"6","iocompletetime":"4","Timestamp": "2018-03-24 06:13:23"}
{"sid": "s2", "did": "d1","lun": "l2","readiobyte":"120","readiotime":"12","iocompletetime":"2","Timestamp": "2018-03-24 06:13:23"}
{"sid": "s2", "did": "d1","lun": "l3","readiobyte":"140","readiotime":"20","iocompletetime":"2","Timestamp": "2018-03-24 06:13:23"}

Can anyone throw some light on this?
Blockquote