Hello  here's is my problem, I made a search which calculates duration between two jobs. Jobs are supposed to run during our ovn. So the first starts around 10pm and the last around 00.30 so +- 2h30 after. it's working fine but if the job A starts later (e.g.  09/04 at 00.09) then I can't get the calculation and get two empty rows . 09/06/21 02:30:42 21:50:00 00:20:41 09/04/21 00:00:00 03:19:24 03:19:24  << 09/03/21 00:00:00 00:09:52 00:09:52  << 09/02/21 02:31:56 21:56:44 00:28:40 it should display only 1 line for that ovn : 09/04/21 03:09:32 00:09:52 03:19:24  sometimes it's ok i guess it's because job A started very later 4.36AM and after previous Job B run. 09/20/21 02:19:10 22:02:02 00:21:12 09/18/21 02:48:11 04:36:59 07:25:10  <<< ??  09/16/21 02:14:33 22:22:41 00:37:13     <query>| tstats latest(evt_tsk_id) as evt_tsk_id, latest(evt_tsk_status) as evt_tsk_status, latest(evt_mes_occ_ts) as evt_mes_occ_ts, latest(evt_mes_occ_ts_epoch) as evt_mes_occ_ts_epoch where index=INDEX1 APP_env=ENV1 APP_inst=INSTANCE (evt_tsk_id ="JOB_A" AND evt_tsk_status="1") OR (evt_tsk_id ="JOB_B" AND evt_tsk_status="2") by _time span=1H | bucket _time span=6H | stats min(evt_mes_occ_ts_epoch) as start, max(evt_mes_occ_ts_epoch) as end by _time | eval N_duration = tostring(round(end-start,0), "duration") | eval _time = strftime(_time,"%m/%d/%y") | convert timeformat="%H:%M:%S" ctime(start) AS JOB1 | convert timeformat="%H:%M:%S" ctime(end) AS JOB2 | rename _time as date | table date N_duration JOB1 JOB2 | reverse</query>     thanks in advance ... View more