Oh, sorry for any confusion. I am not trying to use values as column name rather than values. What I’m trying to do here is to find the time stamp of log with certain info( for example: some strings) and find the time stamp of another log with certain info( for example, some other strings) and trying to display the duration in between. After spath, i have something like: | eval session_start=if(searchmatch("some string"),min(_time),null()) | eval session_end=if(searchmatch("some other string"),max(_time),null()) | stats values(session_start) as start, values(session_end) as end | eval Duration= end-start | table Duration start end  But it's not displaying the duration, but session_start and session_end are correct if I put them under table, trying to calculate diff but it seems that it's not calculating.      Update:  I figured it out  | eval session_start=if(searchmatch("some string"),_time,null()) | eval session_end=if(searchmatch("some other string"),_time,null()) | stats values(session_start) as ss, values(session_end) as se | eval dur=se-ss | table dur   ... View more

Yes, thank you! Thank you that works very well. As you mentioned, I do expect some use. For example, if I want to display the _time in a column where "some strings" and _time in another column where "some other strings" in a chart(essentially the time range of two Logs). I tried use spath twice in the search but it seems that values are not returned correctly while "info" is different strings. ... View more

Sorry, I need to rephrase my question. For Log, not  every one of them is standard JSON, some of them are just a string, and sometimes the Log is a totally different structure of Json ... View more