Subtracting two timestamps results in negative values. Using epoch time to find the differences between two timestamp but the results comes in negative values.
index=npp_pe_sumidx_slr003 | streamstats values(Time5) as new, values(Time6) as old | eval duration2=new-old | table new old duration2
T1 T2 Diff
1521470540.030000 1521470540.290000 -0.260000
1521470596.110000 1521470596.360000 -0.250000
1521470620.090000 1521470620.310000 -0.220000
1521470588.020000 1521470588.240000 -0.220000
@kishen2017, the negaive difference in the above example look correct to me.
1521470540.290000 (T2) > 1521470540.030000 (T1). If you compare 29 > 03 and difference is 26. Since you are performing T1-T2 you are expected to get negative values. So you should perform T2-T1 as per your data.
Timestamp order is correct. Time5 is new and Time6 is old and we want to subtract Time5 - Time6 only. This negative results not coming for all the events..only for specfic events we are getting the negative values. those negative values are updated in ticket
Have you verified the values of Time5 and Time6 are the same as what your ticketing system says? If you just need to make sure you don't get a negative value for duration2 use
... | eval duration2=abs(new-old) | ...