Hi
Not sure about your question, i.e. exactly what you want to subtract, but with eval , you can accomplish at least the following type of calculations. Since I didn't have your data, I had to manufacture it ( the first 4 rows). The table at the end shows all numbers/fields involved. The diff (in seconds) is equal to 1 day.
index=main
| head 1
| eval j1="10-JAN-2012"
| eval j2="11-JAN-2012"
| eval d1=strptime(j1,"%d-%b-%Y")
| eval d2=strptime(j2,"%d-%b-%Y")
| eval diff = d2-d1
| table j1 j2 d1 d2 diff
Hope this helps,
Kristian
Don't be afraid to post some sample events. You'd be able to get better help that way.
... View more