To start - I was suggested this solution, but despite the fact that the question is very similar the answer marked as a solution doesn't seem to actually provide the quantitative total that I am looking for. I have a series of events where there is a Start and Stop time, in epoch time. These events can be grouped by a common field, `host`, and I am trying to determine the total amount of deduplicated time that these events span. For example: Host_1, Event_1: starts at 13:00, ends at 13:15 Host_1, Event_2: starts at 13:10, ends at 13:20 Host_1, Event_3: starts at 13:30, ends at 14:00 The total time for Host_1 would therefore be 50 minutes: Event_1: 15 minutes Event_2: 5 minutes (10 minutes - 5 minutes of overlap with Event_1) Event_3: 30 minutes (no overlap with any other events) Total: 50 minutes   I had tried to leverage streamstats to get information about previous events, but couldn't work out how to get it to properly reset when the events didn't overlap. Not even sure streamstats is the best method for solving this type of problem.   EDIT: some test data may be helpful. 0,"hostname","start_time","end_time" 1,"host_1","1654130041.626307","1654130566.626307" 2,"host_1","1654131696.975800","1654133451.975800" 3,"host_1","1654132454.687189","1654134263.687189" 4,"host_1","1654132747.975800","1654133451.975800" 5,"host_1","1654133805.740912","1654134236.740912" 6,"host_1","1654136688.170093","1654136722.170093" 7,"host_1","1654136782.300892","1654136818.300892" 8,"host_1","1654136885.031861","1654137288.031861" 9,"host_1","1654137388.801936","1654139394.801936"   Doing the math, rows numbered 3 and 4 both have `start_time` values that are earlier than row 1's `end_time` value - indicating that there would be a duration overlap occurring in several rows. ... View more

So the goal is to to have a drilldown perform an eval which sets a token with the "lookup-dataset" value for another panel to use in performing the lookup. Lookup documentation states the syntax is:   | lookup <lookup-dataset> ...   The eval includes a case command containing 3 match commands - the results of this should be set into a token.   <drilldown> <unset token="lookup_token"></unset> <eval token="lookup_token">case(match("$row.field1$","abc"),"lookup1",match("$row.field1$","def"),"lookup2",match("$row.field1$","xyz"),"lookup1")</eval> </drilldown>   And another panel does:   <search depends="$lookup_token$" base="the_base_search"> <query>| lookup $lookup_token$ lookup_value as field_value</query> </search>   But the eval doesn't appear to be re-evaluating on clicking a new row within the first panel - checking the search jobs shows it only ever seems to get the first eval value. Is there something I am missing here? ... View more