https://community.splunk.com/t5/Getting-Data-In/How-to-compute-for-duration-between-two-consecutive-timestamps/m-p/428323#M75050 <P>Ignore my other answer, I see you need to carry the time forward not backwards. Try this:</P> <PRE><CODE>| streamstats window=1 current=f last(_time) as prevTime last(GREEN) as prevGREEN last(YELLOW) as prevYELLOW last(RED) as prevRED | eval duration = _time - prevTime | table prevTime prevGREEN prevYELLOW prevRED duration </CODE></PRE> Mon, 11 Mar 2019 22:04:05 GMT chrisyounger 2019-03-11T22:04:05Z https://community.splunk.com/t5/Getting-Data-In/How-to-compute-for-duration-between-two-consecutive-timestamps/m-p/428321#M75048 <P>I have a table:</P> <PRE><CODE>TIME | GREEN | YELLOW | RED | 10:16:43 0 0 0 10:16:46 0 0 2 10:16:47 0 0 0 10:35:12 1 0 0 11:20:21 0 0 0 </CODE></PRE> <P>I want to have another column for duration like this:</P> <PRE><CODE>TIME | GREEN | YELLOW | RED | DURATION | 10:16:43 0 0 0 00:00:03 ----------&gt; meaning for 3 minutes, the values were 0 0 0 10:16:46 0 0 2 00:00:01 -----------&gt;meaning for 1 minutes, red is 2 10:16:47 0 0 0 00:18:25 -----------&gt; meaning fro 18:25, values are 0 0 0 10:35:12 1 0 0 00:25:08 -----------&gt; meaning for 25:08, green is at 1 11:20:21 0 0 0 00:06:43 11:07:04 </CODE></PRE> <P>How will I do this?</P> Mon, 11 Mar 2019 21:23:16 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-compute-for-duration-between-two-consecutive-timestamps/m-p/428321#M75048 mdmaala 2019-03-11T21:23:16Z https://community.splunk.com/t5/Getting-Data-In/How-to-compute-for-duration-between-two-consecutive-timestamps/m-p/428322#M75049 <P>Try this:</P> <PRE><CODE>| streamstats window=1 current=f last(_time) as prevTime | eval duration = _time - prevTime </CODE></PRE> <P>Hope this helps</P> Mon, 11 Mar 2019 21:57:44 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-compute-for-duration-between-two-consecutive-timestamps/m-p/428322#M75049 chrisyounger 2019-03-11T21:57:44Z https://community.splunk.com/t5/Getting-Data-In/How-to-compute-for-duration-between-two-consecutive-timestamps/m-p/428323#M75050 <P>Ignore my other answer, I see you need to carry the time forward not backwards. Try this:</P> <PRE><CODE>| streamstats window=1 current=f last(_time) as prevTime last(GREEN) as prevGREEN last(YELLOW) as prevYELLOW last(RED) as prevRED | eval duration = _time - prevTime | table prevTime prevGREEN prevYELLOW prevRED duration </CODE></PRE> Mon, 11 Mar 2019 22:04:05 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-compute-for-duration-between-two-consecutive-timestamps/m-p/428323#M75050 chrisyounger 2019-03-11T22:04:05Z https://community.splunk.com/t5/Getting-Data-In/How-to-compute-for-duration-between-two-consecutive-timestamps/m-p/428324#M75051 <P>Thank you so much! this worked for me. <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Tue, 12 Mar 2019 01:33:24 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-compute-for-duration-between-two-consecutive-timestamps/m-p/428324#M75051 mdmaala 2019-03-12T01:33:24Z