Hello all, I'm trying to get a duration between the first "started" event, and the first "connected" event following started, grouped by each user id.   The Data I'm trying to get an event that is going to be structured like the following (assume these have all have real timestamps. I am abbreviating it to be short. The item numbers on the left are for annotation purposes only) (item no. for annotation purposes only) userId status _time (abbreviated) 0 1 started 00:00 1 1 connected 00:05 2 2 started 00:30 3 2 connected 00:40 4 2 connected 01:30 5 4 started 02:00 6 3 connected 02:05 7 3 started 02:10 8 3 connected 02:20 9 4 connected 02:30 10 5 started 3:00 What i'm looking to achieve: A) I need to make sure i start the clock whenever the user has a "started" state.  (e.g., item no. 6 should be neglected) B) It must take the first connected event following "started". (e.g., item no. 3 is the end item, with item no.4 being ignored completely) C) I want to graph the number of users bucketed by intervals of 15 seconds. D) There must be a start and connected event. (e.g. userId 5 would not be added) How would i approach this?  I tried to do the following: ... status="started" OR status="connected" | stats range(_time) AS duration BY userId | where duration > 0 | bin span 15 duration | stats dc(userid) as Users by duration   But this isn't  quite doing what I want it to do.  And, I also get events where there's no duration. ... View more