You can try utilizing a foreach mode=multivalue loop to gather deltas between the timestamps and then do descriptive statistics around the new delta MV field.
Something like this:
<base_search>
``` sorting event_time mvfield values ```
| eval
event_time=mvsort(event_time)
``` initializing field current for the nex foreach loop ```
| eval
current=mvindex(event_time, 0)
``` loop through each value in event_time and subtract the preceding value to get a delta ```
| foreach mode=multivalue event_time
[
| eval
tmp_delta='<<ITEM>>'-'current',
delta=mvappend(delta, tmp_delta),
current='<<ITEM>>'
]
``` removing these fields as they are no longer needed ```
| fields - current, tmp_delta
| eval
``` stripping off first entry from delta mvfield since it will always be zero and skew stats ```
delta=mvindex(delta, 1, -1),
``` calculate avergae delta betwwen timestamps ```
avg_delta=avg(delta),
``` diff is a temp field to assist with evaluating the standard deviation s=√(Σ((delta-avg_delta)^2/(n-1))) ```
diff=mvmap(delta, 'delta'-'avg_delta'),
diff_2=mvmap(diff, pow(diff, 2)),
stdev_delta=sqrt(sum(diff_2)/(mvcount(diff_2)-1)),
``` evaluate variance ```
variance_delta=pow('stdev_delta', 2)
``` remove diff fields as they were temporary to calculate standard deviation ```
| fields - diff, diff_2
``` zscore for more detail ```
| eval
zscore_delta=mvmap(delta, (('delta'-'avg_delta')/'stdev_delta'))
``` human readable format (duration) of deltas for context ```
| eval
stdev_duration=tostring(stdev_delta, "duration"),
range_delta=max(delta)-min(delta),
range_duration=tostring(range_delta, "duration")
``` just sorting fields list for final display ```
| fields + event_time, delta, zscore_delta, avg_delta, stdev_delta, variance_delta, range_delta, stdev_duration, range_durationIt should return you a table that looks like this.
