topic Re: How to calculate duration of two events with same fields that contain the same value occurred at different time in Splunk Search https://community.splunk.com/t5/Splunk-Search/How-to-calculate-duration-of-two-events-with-same-fields-that/m-p/410565#M118489 <P>Hey David,<BR /> I tried this also , by doing this , event having same values occurred at different time gets grouped and duration takes the start time as first Open state and last resolved state of last occurrence of that event<BR /> For example :<BR /> _time ID Title Severity State hostname<BR /> 29-05-2019 08:02 450 Slow disk BBB OPEN host1<BR /> 29-05-2019 08:06 450 Slow disk BBB OPEN host1<BR /> 18-04-2019 18:49 450 Slow disk BBB RESOLVED host1<BR /> 18-04-2019 18:43 450 Slow disk BBB OPEN host1<BR /> BY using above trick , durationMinutes showing for these events as one <BR /> ID Title Severity State hostname durationMinutes <BR /> 450 Slow disk BBB RESOLVED host1 58392.36666666667 </P> <P>I want both events should be counted as individual . Please suggest some other way.</P> <P>Thanks.</P> Mon, 10 Jun 2019 16:59:05 GMT avni26 2019-06-10T16:59:05Z How to calculate duration of two events with same fields that contain the same value occurred at different time https://community.splunk.com/t5/Splunk-Search/How-to-calculate-duration-of-two-events-with-same-fields-that/m-p/410561#M118485 <P>I have following sample events of a problem having field State open and Resolved.</P> <PRE><CODE>_time ID Title Severity State hostname 08-05-2019 13:14 450 Monitoring AAA OPEN host2 08-05-2019 13:15 450 Monitoring AAA RESOLVED host2 16-05-2019 18:58 660 Slow disk BBB RESOLVED host1 16-05-2019 18:09 660 Slow disk BBB OPEN host1 29-05-2019 08:02 450 Slow disk BBB OPEN host3 29-05-2019 08:06 450 Slow disk BBB RESOLVED host3 18-04-2019 18:43 450 Slow disk BBB OPEN host3 25-03-2019 18:30 660 Slow disk BBB RESOLVED host1 25-03-2019 18:19 660 Slow disk BBB OPEN host1 18-04-2019 18:49 450 Slow disk BBB RESOLVED host3 </CODE></PRE> <P>I want to calculate the duration of each problem at every occurrence and want to display results in single table.<BR /> For example : Result should be like below</P> <PRE><CODE>_time ID Title Severity State hostname duration(Min) 18-04-2019 18:49 450 Slow disk BBB RESOLVED host3 3.00 08-05-2019 13:15 450 Monitoring AAA RESOLVED host2 1.02 29-05-2019 08:06 450 Slow disk BBB RESOLVED host3 4 25-03-2019 18:30 660 Slow disk BBB RESOLVED host1 11 16-05-2019 18:58 660 Slow disk BBB RESOLVED host1 49 </CODE></PRE> <P>Please suggest.</P> Fri, 07 Jun 2019 18:13:37 GMT https://community.splunk.com/t5/Splunk-Search/How-to-calculate-duration-of-two-events-with-same-fields-that/m-p/410561#M118485 avni26 2019-06-07T18:13:37Z Re: How to calculate duration of two events with same fields that contain the same value occurred at different time https://community.splunk.com/t5/Splunk-Search/How-to-calculate-duration-of-two-events-with-same-fields-that/m-p/410562#M118486 <P>You can use transaction for this. You would use both ID and host as the key:</P> <PRE><CODE>[BASE SEARCH] | transaction ID hostname startswith="(State=OPEN)" endswith="(State=RESOLVED)" | stats latest(_time) as time latest(Title) as Title latest(duration) as duration by ID hostname | eval time = strftime(time,"%Y-%m-%d %H:%M:%S.%3N") | eval duration = duration/60 | sort duration </CODE></PRE> <P>Try something like this. You will probably want to use a table command to format the fields in the correct order at the end of the search.</P> Fri, 07 Jun 2019 18:46:02 GMT https://community.splunk.com/t5/Splunk-Search/How-to-calculate-duration-of-two-events-with-same-fields-that/m-p/410562#M118486 kmorris_splunk 2019-06-07T18:46:02Z Re: How to calculate duration of two events with same fields that contain the same value occurred at different time https://community.splunk.com/t5/Splunk-Search/How-to-calculate-duration-of-two-events-with-same-fields-that/m-p/410563#M118487 <P>Hi Kmorris,</P> <P>I already tried this, from transaction its not fetching all desired output . There is some Problem events also exist whose State is only "OPEN" or only RESOLVED . Those events count are not coming after using this. <BR /> And also due to Transaction command , Its taking lots of time to load. <BR /> Can't it be done by some other way without using Transaction.</P> <P>Please suggest .</P> <P>Thanks</P> Mon, 10 Jun 2019 06:21:56 GMT https://community.splunk.com/t5/Splunk-Search/How-to-calculate-duration-of-two-events-with-same-fields-that/m-p/410563#M118487 avni26 2019-06-10T06:21:56Z Re: How to calculate duration of two events with same fields that contain the same value occurred at different time https://community.splunk.com/t5/Splunk-Search/How-to-calculate-duration-of-two-events-with-same-fields-that/m-p/410564#M118488 <P>Hi @avni26,</P> <P>This will do the trick :</P> <PRE><CODE>Yoursearch | stats earliest(_time) as start, latest(_time) as end, values(severity) as severity,values(Title) as Title, last(State) as State by hostname, ID |eval durationMinutes=(end-start)/60 </CODE></PRE> <P>Let me know if that helps.</P> <P>Cheers,<BR /> David</P> Mon, 10 Jun 2019 07:57:14 GMT https://community.splunk.com/t5/Splunk-Search/How-to-calculate-duration-of-two-events-with-same-fields-that/m-p/410564#M118488 DavidHourani 2019-06-10T07:57:14Z Re: How to calculate duration of two events with same fields that contain the same value occurred at different time https://community.splunk.com/t5/Splunk-Search/How-to-calculate-duration-of-two-events-with-same-fields-that/m-p/410565#M118489 <P>Hey David,<BR /> I tried this also , by doing this , event having same values occurred at different time gets grouped and duration takes the start time as first Open state and last resolved state of last occurrence of that event<BR /> For example :<BR /> _time ID Title Severity State hostname<BR /> 29-05-2019 08:02 450 Slow disk BBB OPEN host1<BR /> 29-05-2019 08:06 450 Slow disk BBB OPEN host1<BR /> 18-04-2019 18:49 450 Slow disk BBB RESOLVED host1<BR /> 18-04-2019 18:43 450 Slow disk BBB OPEN host1<BR /> BY using above trick , durationMinutes showing for these events as one <BR /> ID Title Severity State hostname durationMinutes <BR /> 450 Slow disk BBB RESOLVED host1 58392.36666666667 </P> <P>I want both events should be counted as individual . Please suggest some other way.</P> <P>Thanks.</P> Mon, 10 Jun 2019 16:59:05 GMT https://community.splunk.com/t5/Splunk-Search/How-to-calculate-duration-of-two-events-with-same-fields-that/m-p/410565#M118489 avni26 2019-06-10T16:59:05Z Re: How to calculate duration of two events with same fields that contain the same value occurred at different time https://community.splunk.com/t5/Splunk-Search/How-to-calculate-duration-of-two-events-with-same-fields-that/m-p/410566#M118490 <P>@DavidHourani @kmorris Sorry for delay response. <BR /> Thank you so much it worked <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> </P> Thu, 11 Jul 2019 06:22:19 GMT https://community.splunk.com/t5/Splunk-Search/How-to-calculate-duration-of-two-events-with-same-fields-that/m-p/410566#M118490 avni26 2019-07-11T06:22:19Z