Thanks for answer, without the "where" I mention doesn't return correct duration.

any idea?

Can you share more representative example data to show why it doesn't work?

I have lot's of line like this so I need to if A,B,IDS matched with each other get latest one and calculate duration 

1-step one, where:

A=A+100

B=B

IDS=IDS

2-step two, find latest one 

3-calculate duration

00:03:00.010 app catZZ_DDP_AP: O[host]A[1000]B[123456]IDS[123456789987]
00:03:00.020 app catZZ_DDP_AP: I[host]A[1100]B[123456]IDS[123456789987]

00:03:01.025 app catZZ_DDP_AP: O[host]A[1000]B[123456]IDS[123456789987]
00:03:01.026 app catZZ_DDP_AP: I[host]A[1100]B[123456]IDS[123456789987]

00:03:02.067 app catZZ_DDP_AP: O[host]A[1000]B[123456]IDS[123456789987]
00:03:02.110 app catZZ_DDP_AP: I[host]A[1100]B[123456]IDS[123456789987]

output:

duration                          B                            IDS
00:00:00.043      123456     123456789987

| sort 0 B IDS _time
| streamstats latest(_time) as previous_time window=1 current=f by B IDS
| stats latest(previous_time) as start latest(_time) as end by B IDS
| eval duration=tostring(end-start,"duration")
| table duration B IDS

still return incorrect duration for some of the events that is not A=A+100

e.g:

it find 3 events like this and consider first line as OUT while second line is OUT event of the third line. if condition check "A=1000" must be match to "A+100=1100" it will be fixed.

00:03:00.000 app catZZ_DDP_AP: O[host]A[2000]B[123456]IDS[123456789987]

00:03:02.067 app catZZ_DDP_AP: O[host]A[1000]B[123456]IDS[123456789987]
00:03:02.110 app catZZ_DDP_AP: I[host]A[1100]B[123456]IDS[123456789987]

current output:

duration = 00:00:02.110

expected output:

duration = 00:00:00.043

"A" of each OUT must be match with "A"+100 means 1100

if "A" of OUT is 4000 then "A" of IN shoud be 4100

I think this line need to be replace with "match" instead of "where"

| where A=previousA+100

currently put result in A while it shoud check them 

if A equal to A+100 they match then calculate duration.

Where is keeping events in the pipeline where A in the event is equal to previousA + 100 - it is not an assignment

you right about "where", it was my fault.

it work now in result page I have filed that call "servername" need to group by servername

current result:

servername             duration                          B                            IDS
server1                      00:00:00.043      123456     123456789987

server1                      00:00:00.033      123456     123456789987

server1                      00:00:00.093      123456     123456789987

server2                      00:00:00.099      123456     123456789987

expected result:

servername             duration                          B                            IDS
server1                      00:00:00.043      123456     123456789987

                                         00:00:00.033      123456     123456789987

                                         00:00:00.093      123456     123456789987

server2                      00:00:00.099      123456     123456789987

any idea?

thanks

If you really want servername "removed" or other fields grouped by servername try this:

| stats list(duration) as duration list(B) as B list(IDS) as IDS by servername