I figured out about not dividing by 60000. I changed to 60 and then round(time_in_minutes, 0) to get rid of the decimal places. I also took out the ctime() This is what I have now: . . . | streamstats window=2 range(_time) as timediff | eval time_in_minutes = timediff / 60 | eval time_in_minutes = round(time_in_minutes, 0) | table _time LocalTranId time_in_minutes Based on how I described what I want is the 'window=2' giving me what I am looking for? I scanned through events around the time of the 51 shown in the table below and I can't find any 2 events > 50 minutes   It's clear I'm new at this. I've only been creating simple queries which I'm sure this is probably very simple to you and I appreciate you helping me. I've just  now realized I need to do more to get what I really need.     ... View more

I did figure out the problem is I did not need the 'as refresh_minutes' in for the eval Ultimately I want a table that shows time gaps > 50 between 2 events. I am refreshing a token every 50 minutes and I need to see those gaps in a table I've changed it to this but I get no data in the time_in_minutes column. . . . | streamstats current=f last(_time) as last_time by host | eval gap = last_time - _time | where gap > 50 | convert ctime(last_time) as last_time | eval time_in_minutes = last_time / 60000 | table LocalTranId time_in_minutes     ... View more