Nice question, and good that you’re already using stats list() to group by id. The trick is: instead of quedarte con las listas tal cual, necesitas indexar esas listas y restar elemento a elemento. Aquí tienes un comentario que podrías postear, con tu anchor integrado: You can do this by turning the list() output into indexed elements and then subtracting adjacent timestamps with mvindex and strptime. For example: text ... | sort id timestamp | stats list(executor) AS executors list(timestamp) AS logtime BY id | eval count = mvcount(logtime) | eval time_diff = mvrange(0, count) | mvexpand time_diff | eval time_diff = if(time_diff==0, 0, strptime(mvindex(logtime, time_diff), "%Y-%m-%dT%H:%M:%S.%3N") - strptime(mvindex(logtime, time_diff-1), "%Y-%m-%dT%H:%M:%S.%3N") ) This way, the first executor gets 0 and each next row gets the delta vs the previous timestamp, even if the number of executors grows dynamically.
... View more
