I am trying to get time difference between 2 timestamps, I have one field deployment_ts with one value and list of time stamps commit_ts, i want a list containing the difference for each value in list with the other field eval commit_to_rel =  (deployment_ts - commit_ts). Bu t I am not getting any result. 
here is my query 
index=x application_name="yy-xx-zz" event_type="ev"
| spath path=commits{}.date output=commit_date
| eval deployment_ts = (strptime(deployment_time, "%Y-%m-%dT%H:%M:%S%z"))
| eval commit_ts = (strptime(commit_date, "%Y-%m-%dT%H:%M:%SZ"))
| eval commit_to_rel = (deployment_ts - commit_ts)
| stats list(commit_date), list(commit_ts), list(deployment_ts), list(commit_to_rel)
Can anyone please tell me how to get this done?
here is the picture of results along with the querry.

 
					
				
		
Hi @dheri,
Try this :
index=x application_name="yy-xx-zz" event_type="ev"
| spath path=commits{}.date output=commit_date 
| eval deployment_ts = (strptime(deployment_time, "%Y-%m-%dT%H:%M:%S%Z"))
| eval commit_ts = (strptime(commit_ts, "%Y-%m-%dT%H:%M:%SZ"))
| mvexpand commit_ts
| eval commit_to_rel =  (deployment_ts - commit_ts)
Let me know if that helps.
Cheers,
David
 
					
				
		
Hi @dheri,
Try this :
index=x application_name="yy-xx-zz" event_type="ev"
| spath path=commits{}.date output=commit_date 
| eval deployment_ts = (strptime(deployment_time, "%Y-%m-%dT%H:%M:%S%Z"))
| eval commit_ts = (strptime(commit_ts, "%Y-%m-%dT%H:%M:%SZ"))
| mvexpand commit_ts
| eval commit_to_rel =  (deployment_ts - commit_ts)
Let me know if that helps.
Cheers,
David
 
					
				
		
Hi @dheri Was that helpful ? Can you let me know if it worked for you ?
Yes, I was able to expand single event into multiple events.
 
					
				
		
Awesome ! Great to hear that !
 
					
				
		
 
		
		
		
		
		
	
			
		
		
			
					
		@dheri
Is the date format for deployment_time and commit_date are the same? If not, can you please share it else pls try below search? 
| makeresults 
| eval _raw="{\"deployment_time\": \"2019-06-03T15:41:26Z\",\"commit_date\": \"2019-06-03T15:41:26Z\"}" 
| kv 
| eval deployment_ts = (strptime(deployment_time, "%Y-%m-%dT%H:%M:%S%Z")) 
| eval commit_ts = (strptime(commit_date, "%Y-%m-%dT%H:%M:%SZ")) 
| eval commit_to_rel = (deployment_ts - commit_ts)
Just made change in | eval deployment_ts = (strptime(deployment_time, "%Y-%m-%dT%H:%M:%S%Z"))
@kamlesh_vaghela 
Yes, there is difference between date format of deployment_time and commit_date but they both are converted into unix timestamps, which I can see in result as deployment_ts and commit_ts. I tried the query you asked me.  Here are the results 

