Is it safe to assume the id field is unique?
If so, you can improve on @Tom‘s answer thusly:
index=ndx sourcetype=srctp ("start mode" OR "stop mode")
| stats min(_time) as start max(_time) as end by id
| eval duration=end-start
| eval start=strftime(start,"%c"), end=strftime(end,"%c")
from User warren – Stack Overflow https://stackoverflow.com/questions/75871034/find-duration-between-2-events-in-splunk/75879110#75879110
via IFTTT