Fairly confident something akin to this should work (without using join:
index=ndx sourtype=srctp uuid=* msg=*
| stats min(_time) as first_time max(_time) as last_time earliest(msg) as first_msg latest(msg) as last_msg by uuid
| eval diff_seconds=last_time-first_time
| eval first_time=strftime(first_time,"%c"), last_time=strftime(last_time,"%c")
This approach will presume that _time has been set properly in the sourcetype’s props.conf, but if it has, this gets you what you’re looking for in one pass.
from User warren – Stack Overflow https://stackoverflow.com/questions/71719391/how-to-show-the-time-difference-between-two-events-in-a-splunk-join-query/71738005#71738005
via IFTTT