I have a search that captures when a user logs in and logs out of his PC: index=win* (EventCode=4800 OR EventCode=4801) Account_Name=Bat man The results show the below consecutive events: (from top to bottom) EventCode=4801 The workstation was unlocked. EventCode=4800 The workstation was locked. EventCode=4801 The workstation was unlocked. EventCode=4800 The workstation was locked. EventCode=4801 The workstation was unlocked. EventCode=4800 The workstation was locked. Basically, I want to run a report each day (last 24 hours) where I can subtract the _time of first, second, third pair of events (duration) and then add the duration values together so it will show how long a user has not been on the computer. Current search I have, finds the difference of the consecutive events. In the results I see the right time difference values but it also include wrong data as well which I cannot remove. | delta _time p=1| rename delta(_time) AS timeDeltaS | eval timeDeltaS=abs(timeDeltaS) | eval "Duration"=tostring(timeDeltaS,"duration") | table Account_Name,_time, "Duration" ... View more