There are many ways to tackle this problem. One is to use the transaction command, which will automatically create a field called duration for you. This example creates the transactions and formats a nice table
yoursearchhere ("Connection Opened" OR "Connection Closed")
| transaction src dst startswith="Connection Opened" endswith="Connection Closed"
| table _time as StartTime duration src dst
| fieldformat duration=tostring(duration,"duration")
| fieldformat StartTime=strftime(StartTime,"%x %X")
... View more