I have a query where I get "STARTED" and "FINISHED" status events for the same methods. e.g. index IN (private public) sourcetype in (X Y) log_entry=method_status method=getCusips status=STARTED  | rename _time as start_time | table sourcetype method start_time status | sort start_time for this query I get more, let's say 3 results where everything is the same for the event, except event _time also I would like to get "FINISHED" events so the same only with finished index IN (private public) sourcetype in (X Y) log_entry=method_status method=getCusips status=FINISHED | rename _time as end_time | table sourcetype method end_time status  | sort end_time I will always get the same number of events for both queries. Since it is sorted I would need to pair the first started with first finished,  second started with the second finished and so on, and get the duration (end_time - start_time), but how? So what I would like to see is, let's say if I have 2 started and 2 finished events, and as I mentioned only the time is different(between the 2 started events so I cannot use anything else): source_type method start_time end_time duration X getCusips 12 16 4 X getCusips 18 20 2 I was thinking to iterate on the events somehow and map them the 1st to the 1st, 2nd to 2nd, but no idea if this is even doable. Hope I have explained it clearly. ... View more