No luck.  The difference column is blank.  Here is the query

| `incident_review`
| where _time > relative_time(now(),"-7d@d") 
| search rule_id=353EA38E-CBD0-4D90-9EDA-B15D16089D17@@notable@@0fb5ae992e6da8629c0a67596540bf58
| eval status_time=strftime(_time,"%Y-%m-%d %H:%M:%S")
| streamstats window=2 global=f range(_time) as difference by rule_ID
| fieldformat difference=tostring(difference,"duration") 
| table  status_time difference rule_id rule_name owner user status_label

 Result

If you strftime your timestamp to a string, you can't calculate anything anymore on it because it's a string now. You'd have to strptime it back to a epoch-based timestamp which is a bit pointless. Use fieldformat instead of eval to display your status_time in a human-readable way but keep it internally as a unix timestamp.

That worked.  Awesome !!.  But curious, how did it work even though i am doing the following in the line above your  streamstats command ?

eval status_time=strftime(_time,"%Y-%m-%d %H:%M:%S") 

If you notice PickeRick's comment above, status_time should be in epoch format for us to calculate the difference.

PickleRick's comment is wrong

eval status_time=strftime(_time,"%Y-%m-%d %H:%M:%S")

does not change the _time field, it creates a new field called status_time, and therefore has no effect on the calculations based on the _time field

You're right. 😞

I noticed the strftime but didn't notice that the range() was operating on _time, not on that strftimed field.

My original comments holds valid but is just not applicable in this case 😉

Thanks @PickleRick . I have given you karma points.