Here are both of them: index=main field=value1
| rex field=user "\w+\\\(?<user>.*)"
| eval time=strftime(_time, "%d/%m/%y %H:%M:%S")
| stats earliest(time) as FirstSeen, latest(time) as LastSeen by user
| eval time_dur=(strptime(LastSeen,"%d/%m/%y %H:%M:%S")-strptime(FirstSeen,"%d/%m/%y %H:%M:%S"))
| lookup some_user_lookup user AS user OUTPUT type
| stats avg(time_dur) by type
| eval time_dur=printf("%02d:%02d", floor(time_dur / 3600), (time_dur % 3600) / 60) index=main field=value1
| rex field=user "\w+\\\(?<user>.*)"
| eval time=strftime(_time, "%d/%m/%y %H:%M:%S")
| stats earliest(time) as FirstSeen, latest(time) as LastSeen by user
| eval time_dur=(strptime(LastSeen,"%d/%m/%y %H:%M:%S")-strptime(FirstSeen,"%d/%m/%y %H:%M:%S"))
| lookup some_user_lookup user AS user OUTPUT type
| eval time_dur=printf("%02d:%02d", floor(time_dur / 3600), (time_dur % 3600) / 60)
| table type time_dur
... View more