Hi @nramya82 Glad @adauria_splunk helped you find your solution 🙂 You used eval to find the difference between your field values, but there actually is a delta command for this purpose, just so you know for future reference. Check out the documentation for it here: http://docs.splunk.com/Documentation/Splunk/6.1.4/SearchReference/Delta ... View more

Look, I did provide you an example how it works - if you keep changing your searches to strings that cannot match, you will never get it working. Read the docs on the search basics http://docs.splunk.com/Documentation/Splunk/latest/SearchTutorial/WelcometotheSearchTutorial and use this regex to get it working | rex ":\s\+(?\d+)\s+/" I'm off this topic for now....... ... View more

Here is the regex for extracting the field with the Field Extractor (Hits): (?i) ABC : (?P .+) And here is the statement I put in the search field: | table date_month date_mday date_hour date_minute Hits | delta Hits as tempdiff | eval Difference=tempdiff*(-1) I am first creating a table to display the time and the extracted field, which I called "Hits". Then I calculated the difference using the delta command. To remove the negative prefix, I multiplied the field with -1. ... View more