How to index the same field "A" different values for the unique ID? A set of field "A" values is finite and for each ID can have multiple identical field values.
After a few search strings I have a table. I try to explain by img:
My main difficulty that I can't calculate the time difference between any two points of the field "A", because there are the same field "A" values. I think that this way will help me.
Hey @AlexeyPy, If DalJeanis solved your problem, please don't forget to accept an answer! You can upvote posts as well. (Karma points will be awarded for either action.) Happy Splunking!
Try this...
| sort 0 _time ID fieldA
| streamstats current=f last(_time) as priortime by ID fieldA
| eval duration=coalesce(_time - priortime,"No prior")
Unfortunately, that's not what I need. I need to be able to calculate the difference in time between those points, which I want. In this search only between the first and last in the group