https://community.splunk.com/t5/Getting-Data-In/Using-span-option-in-timechart-doesn-t-show-any-values/m-p/530740#M89313 <P>I am trying to get a time difference of two events and using timechart, I wants to display MAX(time difference value ) in a span of 30seconds;&nbsp; Below query is working with table and I want to use timechart - Any help appreciated.&nbsp;</P><P>index=express_its_pds_solsup_dce sourcetype="express:dce:shipmentlog" "EWPX - WCO: Begin saving"<BR />| rex field=_raw "build.(?&lt;SHIP_FILE&gt;[\S+]*)"<BR />| stats latest(_time) as begin_time by SHIP_FILE<BR />| join SHIP_FILE<BR />[ search index=express_its_pds_solsup_dce sourcetype="express:dce:shipmentlog" "EWPX - WCO: End"<BR />| rex field=_raw "build.(?&lt;SHIP_FILE&gt;[\S+]*)"<BR />| stats latest(_time) as end_time by SHIP_FILE ] | eval ship_throughput = end_time-begin_time</P><P>| table SHIP_FILE, ship_throughput</P> Wed, 25 Nov 2020 03:49:36 GMT 4uramana4u 2020-11-25T03:49:36Z https://community.splunk.com/t5/Getting-Data-In/Using-span-option-in-timechart-doesn-t-show-any-values/m-p/530740#M89313 <P>I am trying to get a time difference of two events and using timechart, I wants to display MAX(time difference value ) in a span of 30seconds;&nbsp; Below query is working with table and I want to use timechart - Any help appreciated.&nbsp;</P><P>index=express_its_pds_solsup_dce sourcetype="express:dce:shipmentlog" "EWPX - WCO: Begin saving"<BR />| rex field=_raw "build.(?&lt;SHIP_FILE&gt;[\S+]*)"<BR />| stats latest(_time) as begin_time by SHIP_FILE<BR />| join SHIP_FILE<BR />[ search index=express_its_pds_solsup_dce sourcetype="express:dce:shipmentlog" "EWPX - WCO: End"<BR />| rex field=_raw "build.(?&lt;SHIP_FILE&gt;[\S+]*)"<BR />| stats latest(_time) as end_time by SHIP_FILE ] | eval ship_throughput = end_time-begin_time</P><P>| table SHIP_FILE, ship_throughput</P> Wed, 25 Nov 2020 03:49:36 GMT https://community.splunk.com/t5/Getting-Data-In/Using-span-option-in-timechart-doesn-t-show-any-values/m-p/530740#M89313 4uramana4u 2020-11-25T03:49:36Z https://community.splunk.com/t5/Getting-Data-In/Using-span-option-in-timechart-doesn-t-show-any-values/m-p/530756#M89315 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/229060">@4uramana4u</a>&nbsp;</P><P>streamstats is the best option to find out difference between two events. Below is the sample working query. you can tailor it as per your needs.</P><LI-CODE lang="markup">index=_internal sourcetype=splunkd host="samplehost" component=StatusMgr | bin _time span=30s | stats count by _time source | streamstats range(_time) as delta window=2 global=f by source | eventstats max(delta) as max_delta</LI-CODE> Wed, 25 Nov 2020 06:00:03 GMT https://community.splunk.com/t5/Getting-Data-In/Using-span-option-in-timechart-doesn-t-show-any-values/m-p/530756#M89315 thambisetty 2020-11-25T06:00:03Z https://community.splunk.com/t5/Getting-Data-In/Using-span-option-in-timechart-doesn-t-show-any-values/m-p/535958#M89862 <P>Thank you, solved.</P> Fri, 15 Jan 2021 07:46:37 GMT https://community.splunk.com/t5/Getting-Data-In/Using-span-option-in-timechart-doesn-t-show-any-values/m-p/535958#M89862 4uramana4u 2021-01-15T07:46:37Z