I have an event that has two fields. PROGRESS_START and PROGRESS_END. Both of these fields contain multiple values. One PROGRESS_START and PROGRESS_END for each navigation a user makes. If a user navigates 8 times, there will be 8 values inside of PROGRESS_START and 8 values inside of PROGRESS_END.

PROGRESS_START means that the user has clicked to navigate to a new screen and it is given a value that is an epoch time of when that navigation starts. PROGRESS_END is when the loading is complete on the next screen and is also given an epoch time of when the loading from the navigation ends.

Here is an example of what that a search looks like to view the PROGRESS_START and PROGRESS_END fields

index="abc" sourcetype="xyz" event=timemetrics userid=123
| spath output=progress_start path="metrics.progressMetrics{}.events{}.PROGRESS_START"
| spath output=progress_end path="metrics.progressMetrics{}.events{}.PROGRESS_END"
| table progress_start,progress_end

Here is the output form that search.

progress_start  
1573487643709
1573487722305
1573487955841
1573487979760
1573488015745
1573488060305
1573488078606
1573488093558
1573488109858
1573488122452

progress_end
1573487718303
1573487908044
1573487957176
1573487981268
1573488018744
1573488061909
1573488079705
1573488095764
1573488111632
1573488123971

What I'd like to know is how do I use these epoch time values to determine how long a user spent on a given screen before navigating? I think I would need to subtract a following START_PROGRESS value from a previous PROGRESS_END value.

Some bonus information:

With help from a user on this site, I was able to put a search together to calculate the loading time between each navigation by subtracting each PROGRESS_START value from each PROGRESS_END value. That difference is how long the user was looking at a loading screen.

This is an example of what that search looks like

index="abc" sourcetype="xyz" event=timemetrics userid=123
| spath output=progress_start path="metrics.progressMetrics{}.events{}.PROGRESS_START"
| spath output=progress_end path="metrics.progressMetrics{}.events{}.PROGRESS_END"
| eval timeremainder = mvzip(progress_end, progress_start,".")
| mvexpand timeremainder
| rex field=timeremainder "(?<progress_end>.*)\.(?<progress_start>.*)"
| eval loading_time=(progress_end - progress_start) / 1000| table progress_start,progress_end,loading_time

Here is what the output ends up being:

progress_start  progress_end    loading_time
1573487643709   1573487718303   74.594
1573487722305   1573487908044   185.739
1573487955841   1573487957176   1.335
1573487979760   1573487981268   1.508
1573488015745   1573488018744   2.999
1573488060305   1573488061909   1.604
1573488078606   1573488079705   1.099
1573488093558   1573488095764   2.206
1573488109858   1573488111632   1.774
1573488122452   1573488123971   1.519

In summary. I've been able to use these values to determine loading times and now I could use any advice or suggestions as to how to leverage this same information to see the time spent between navigations. I hope I've articulated this question well enough. Feel free to ask if you have any questions or need more clarification. Thank you for any information you can share to help me solve this.