How to calculate difference between resolved_time and inc_created_time when I get stats result in 2 columns
index="snow_incident"
| head 1
| spath path=result{} output=x
| fields - _raw
| mvexpand x
| spath input=x
| sort x desc
| foreach x [eval outage = case(match("true",u_major_incident), "Yes", match("false",u_major_incident) AND tonumber(strptime(resolved_at,"%b-%d-%Y %I:%M:%S")) != 0, "No")]
| foreach x [eval inc_created_time = if(match("true",u_major_incident),strptime(sys_created_on,"%b-%d-%Y %I:%M:%S"),"0")]
| foreach x [eval resolved_time = if(match("false",u_major_incident),strptime(resolved_at,"%b-%d-%Y %I:%M:%S"),"0")]
| eval outage_yes = "Yes"
| eval outage_no = "No"
| stats first(inc_created_time) as created first(resolved_time) as resolved by outage,cmdb_ci
... View more