Divide two timecharts in Splunk

Question

I want to divide two timecharts (ideally to look also like a timechart, but something else that emphasizes the trend is also good).

I have two types of URLs and I can generate timecharts for them like this:

index=my-index sourcetype=access | regex _raw="GET\s/x/\w+" | timechart count

index=my-index sourcetype=access | regex _raw="/x/\w+/.*/\d+.*\s+HTTP" | timechart count

The purpose is to emphasize that the relative number of URLs of the second type is increasing and the relative number of URLs of the first type is decreasing.

This is why I want to divide them (ideally the second one by the first one).

For example, if the first series generates 2, 4, 8, 4 and the second one generates 4, 9, 20, 12 I want to have only one dashboard showing somehow the result 2, 2.25, 2.5, 3.

I just managed to get together those information by doing this, but not to generate a timechart and not to divide them:

index=my-index sourcetype=access 
| eval type = if(match(_raw, "GET\s/x/\w+"), "new", if(match(_raw, "/x/\w+/.*/\d+.*\s+HTTP"), "old", "other")) 
| table type 
| search type != "other" 
| stats count as "Calls" by type

I also tried some approaches using eval, but none of them work.

Answer 1

Try this query:

index=my-index sourcetype=access 
| eval type = if(match(_raw, "GET\s/x/\w+"), "new", if(match(_raw, "/x/\w+/.*/\d+.*\s+HTTP"), "old", "other")) 
| fields type 
| search type != "other" 
| timechart count(eval(type="new")) as "New", count(eval(type="old")) as "Old"
| eval Div=if(Old=0, 0, Old/New)