https://community.splunk.com/t5/Dashboards-Visualizations/How-to-display-a-timefrime-from-two-events/m-p/447329#M29405 <P>@nicxso try the following search. (You can take out <CODE>session_id="79626ba1b6e186c9011b4ae82dc724c0"</CODE> from the main search once you are done testing).</P> <PRE><CODE>index=airlock_waf_app_acpt sourcetype="ergon:airlock:waf:web:access" (http_request_url="/portal/web/private-clients/" OR http_method="POST") AND (session_id="79626ba1b6e186c9011b4ae82dc724c0") | stats count by min(_time) as _time max(_time) as latestTime values(host) as host values(audit_token) as audit_token values(src_ip) as src_ip values(time_request_total) as time_request_total by session_id | search count&gt;1 | eval duration=latestTime-_time | where duration&gt;10 | table host, vhost, audit_token, src_ip, session_id, time_request_total </CODE></PRE> Sun, 17 Mar 2019 01:00:21 GMT niketn 2019-03-17T01:00:21Z https://community.splunk.com/t5/Dashboards-Visualizations/How-to-display-a-timefrime-from-two-events/m-p/447328#M29404 <P>Hey guys,</P> <P>I have a question. I have this search:</P> <P>index=airlock_waf_app_acpt sourcetype="ergon:airlock:waf:web:access" (http_request_url="/portal/web/private-clients/") OR (http_method="POST") AND (session_id="79626ba1b6e186c9011b4ae82dc724c0")</P> <P>| table host, vhost, audit_token, src_ip, session_id, time_request_total</P> <P>This gives me two events. In the picture, down below, the first event contains the part "http_request_url="/portal/web/private-clients/"" value and the second event contains the (http_method="POST") value. Both have the same session id.</P> <P><IMG src="https://community.splunk.com/storage/temp/270811-test.png" alt="alt text" /></P> <P>I would like to create a dashboard where it shows a time frame with the duration between this two events. The result of the duration should be 10 seconds.</P> <P>Is there a way where you don't have to use the transaction command or is there any other way ? Kinda curious.</P> <P>Thanks for your help</P> Tue, 29 Sep 2020 23:45:05 GMT https://community.splunk.com/t5/Dashboards-Visualizations/How-to-display-a-timefrime-from-two-events/m-p/447328#M29404 nicxso 2020-09-29T23:45:05Z https://community.splunk.com/t5/Dashboards-Visualizations/How-to-display-a-timefrime-from-two-events/m-p/447329#M29405 <P>@nicxso try the following search. (You can take out <CODE>session_id="79626ba1b6e186c9011b4ae82dc724c0"</CODE> from the main search once you are done testing).</P> <PRE><CODE>index=airlock_waf_app_acpt sourcetype="ergon:airlock:waf:web:access" (http_request_url="/portal/web/private-clients/" OR http_method="POST") AND (session_id="79626ba1b6e186c9011b4ae82dc724c0") | stats count by min(_time) as _time max(_time) as latestTime values(host) as host values(audit_token) as audit_token values(src_ip) as src_ip values(time_request_total) as time_request_total by session_id | search count&gt;1 | eval duration=latestTime-_time | where duration&gt;10 | table host, vhost, audit_token, src_ip, session_id, time_request_total </CODE></PRE> Sun, 17 Mar 2019 01:00:21 GMT https://community.splunk.com/t5/Dashboards-Visualizations/How-to-display-a-timefrime-from-two-events/m-p/447329#M29405 niketn 2019-03-17T01:00:21Z https://community.splunk.com/t5/Dashboards-Visualizations/How-to-display-a-timefrime-from-two-events/m-p/447330#M29406 <P>@niketnilay </P> <P>Thanks, I will try it out the search later. I would also like to use the search to display a timeline, where the X-Axis is showing the time from this two events and on the Y-Axis the duration. How can I do that ? Could I just use the timechart command? How would the search look like ?</P> <P>Thanks</P> Sun, 17 Mar 2019 10:54:02 GMT https://community.splunk.com/t5/Dashboards-Visualizations/How-to-display-a-timefrime-from-two-events/m-p/447330#M29406 nicxso 2019-03-17T10:54:02Z https://community.splunk.com/t5/Dashboards-Visualizations/How-to-display-a-timefrime-from-two-events/m-p/447331#M29407 <P>@nicxso if you want to display the duration for events you can use <A href="https://splunkbase.splunk.com/app/3120/">Timeline Custom Visualization</A> </P> Sun, 17 Mar 2019 11:56:05 GMT https://community.splunk.com/t5/Dashboards-Visualizations/How-to-display-a-timefrime-from-two-events/m-p/447331#M29407 niketn 2019-03-17T11:56:05Z https://community.splunk.com/t5/Dashboards-Visualizations/How-to-display-a-timefrime-from-two-events/m-p/447332#M29408 <P>@niketnilay Would it also be possible to use the timechart command ?</P> Sun, 17 Mar 2019 14:18:16 GMT https://community.splunk.com/t5/Dashboards-Visualizations/How-to-display-a-timefrime-from-two-events/m-p/447332#M29408 nicxso 2019-03-17T14:18:16Z