https://community.splunk.com/t5/Splunk-Search/Subtracting-two-epoch-times-after-within-stats-table/m-p/556522#M158052 <P>It ended up being my fault.&nbsp; I was able to use an element of your example to produce the results I was looking for:<BR /><BR />|eval duration = last_event - first_event<BR />|eval possible_duration=tostring(duration, "duration")</P> Mon, 21 Jun 2021 13:38:13 GMT jason_hotchkiss 2021-06-21T13:38:13Z https://community.splunk.com/t5/Splunk-Search/Subtracting-two-epoch-times-after-within-stats-table/m-p/556048#M157888 <P>Hello - we are trying to calculate the possible_duration between the first event and last event in the following base search:<BR /><BR />&lt;base_search&gt;<BR />| eval docid="<A title="https://www.youtube.com/embed/%22.docid" href="https://www.youtube.com/embed/%22.docid" target="_blank" rel="noreferrer noopener">https://www.youtube.com/embed/".docid</A><BR />| stats count as "visits" values(docid) as url list(_time) as time_of_events earliest(_time) as first_event latest(_time) as last_event by user<BR />| eval duration = last_event - first_event<BR />| eval possible_duration = strftime(duration,"%H:%M:%S")<BR />| eval time_of_events = strftime(time_of_events,"%H:%M:%S")<BR />| eval first_event = strftime(first_event,"%H:%M:%S")<BR />| eval last_event = strftime(last_event,"%H:%M:%S")<BR />| table user visits url time_of_events first_event last_event possible_duration<BR /><BR />Result:</P><DIV><TABLE width="602"><TBODY><TR><TD width="107">Scoobie_Doo</TD><TD width="105">3</TD><TD width="100"><A href="https://www.youtube.com/embed/scoobie_snacks" target="_blank" rel="noopener">https://www.youtube.com/embed/scoobie_snacks</A></TD><TD width="98">16:12:37<BR />16:12:37<BR />16:12:34</TD><TD width="64">16:12:34</TD><TD width="64">16:12:37</TD><TD width="64">19:00:03</TD></TR></TBODY></TABLE><BR /><BR />The possible_duration field seems to get the minutes and seconds right.&nbsp; But not the hour.&nbsp; Looking for a suggestion one what I am missing.</DIV> Wed, 16 Jun 2021 20:28:34 GMT https://community.splunk.com/t5/Splunk-Search/Subtracting-two-epoch-times-after-within-stats-table/m-p/556048#M157888 jason_hotchkiss 2021-06-16T20:28:34Z https://community.splunk.com/t5/Splunk-Search/Subtracting-two-epoch-times-after-within-stats-table/m-p/556062#M157894 <P>Using strftime on a duration type field will always take account your local time, so if you added in a date to that strftime, you would see it's probably Jan 1 1970.</P><P>When dealing with duration there are two ways, either using tostring or doing the maths, like this example search</P><LI-CODE lang="markup">| makeresults | eval duration=147 | eval t-UsingToString=tostring(duration,"duration") | eval h=round(duration/3600), m=round((duration-(h*3600))/60), s=duration%60 | eval t-UsingHMS=printf("%02d:%02d:%02d", h, m, s) | table duration t-UsingToString t-UsingHMS</LI-CODE><P>&nbsp;</P> Wed, 16 Jun 2021 23:13:54 GMT https://community.splunk.com/t5/Splunk-Search/Subtracting-two-epoch-times-after-within-stats-table/m-p/556062#M157894 bowesmana 2021-06-16T23:13:54Z https://community.splunk.com/t5/Splunk-Search/Subtracting-two-epoch-times-after-within-stats-table/m-p/556187#M157932 <P>I attempted your solution, however, I am unable to get it to work in my particular case.</P> Thu, 17 Jun 2021 14:41:25 GMT https://community.splunk.com/t5/Splunk-Search/Subtracting-two-epoch-times-after-within-stats-table/m-p/556187#M157932 jason_hotchkiss 2021-06-17T14:41:25Z https://community.splunk.com/t5/Splunk-Search/Subtracting-two-epoch-times-after-within-stats-table/m-p/556243#M157950 <P>Can you give more details on what you tried and the results you got.</P><P>&nbsp;</P> Thu, 17 Jun 2021 22:45:42 GMT https://community.splunk.com/t5/Splunk-Search/Subtracting-two-epoch-times-after-within-stats-table/m-p/556243#M157950 bowesmana 2021-06-17T22:45:42Z https://community.splunk.com/t5/Splunk-Search/Subtracting-two-epoch-times-after-within-stats-table/m-p/556522#M158052 <P>It ended up being my fault.&nbsp; I was able to use an element of your example to produce the results I was looking for:<BR /><BR />|eval duration = last_event - first_event<BR />|eval possible_duration=tostring(duration, "duration")</P> Mon, 21 Jun 2021 13:38:13 GMT https://community.splunk.com/t5/Splunk-Search/Subtracting-two-epoch-times-after-within-stats-table/m-p/556522#M158052 jason_hotchkiss 2021-06-21T13:38:13Z