Glad to help. Since we've solved it, I'd like to explain the difference between this final "test" and what we did before. All we added here was a table command, which displays the results of the calculations front and center. Without the table command, the fields were still being calculated, but you'd have to expand individual events to view the results. Give it a shot. Run this search query:
host=ns2 "move from"
| sort 0 _time
| streamstats earliest(_time) AS start_time reset_after="(Restart_status=\"I move from startup to normal\")"
| eval duration=if(Restart_status="I move from startup to normal", _time-start_time, NULL)
And click to expand an event that contains "I move from startup to normal". You'll see the fields start_time and duration were hiding there under the covers. 🙂 You can change the final command (table, stats, etc.) to display exactly what you want to see.
... View more