https://community.splunk.com/t5/Splunk-Search/How-to-get-stats-from-different-events/m-p/429513#M122855 <P>Like this:</P> <PRE><CODE>index= caudit AND (eventName=505 OR eventName=507) | streamstats count(eval("EventStreamData.response.verificationStatus"=PROCESSED)) AS sessionID BY EventStreamData.args.verificationId | stats min(_time) AS start_time max(_time) AS end_time range(_time) AS duration BY EventStreamData.args.verificationId sessionID </CODE></PRE> Sun, 27 Jan 2019 18:50:59 GMT woodcock 2019-01-27T18:50:59Z https://community.splunk.com/t5/Splunk-Search/How-to-get-stats-from-different-events/m-p/429512#M122854 <P>How do i get different events names and same reference ID stat time from one event and end time from one event and average for total time for span of time?</P> <P>eventName 505 (startTime) - ----507 with PROCESSED status(endtime) . total avarage time </P> <P>=================================================================</P> <PRE><CODE>Index= caudit eventName=505 |search "EventStreamData.args.verificationId"="8387be8f" |EventStreamData.requestContext.eventStartTime=* Index= caudit eventName=507 |search "EventStreamData.args.verificationId"="8387be8f" |EventStreamData.response.verificationStatus"=PROCESSED |EventStreamData.requestContext.eventEndTime=* </CODE></PRE> <P>the result will be :</P> <PRE><CODE>start time. End time . average time 12:00: 00 12.00: 30 . .000000xxx </CODE></PRE> Sun, 27 Jan 2019 17:59:41 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-stats-from-different-events/m-p/429512#M122854 vkari 2019-01-27T17:59:41Z https://community.splunk.com/t5/Splunk-Search/How-to-get-stats-from-different-events/m-p/429513#M122855 <P>Like this:</P> <PRE><CODE>index= caudit AND (eventName=505 OR eventName=507) | streamstats count(eval("EventStreamData.response.verificationStatus"=PROCESSED)) AS sessionID BY EventStreamData.args.verificationId | stats min(_time) AS start_time max(_time) AS end_time range(_time) AS duration BY EventStreamData.args.verificationId sessionID </CODE></PRE> Sun, 27 Jan 2019 18:50:59 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-stats-from-different-events/m-p/429513#M122855 woodcock 2019-01-27T18:50:59Z https://community.splunk.com/t5/Splunk-Search/How-to-get-stats-from-different-events/m-p/429514#M122856 <P>The query won't work for me </P> <P>Here my business modal starts, eventName=505 reference ID will create here from 505 "EventStreamData start time " and with the same reference ID some of the requests only going through eventName=507, here(507) verification status=PROCESSED then "EventStreamData end time " end time from here </P> <P>both starting times to end time average Time needs to be displayed </P> <P>Index= caudit eventName=505<BR /> |search "EventStreamData.args.verificationId"="8387be8f"<BR /> |EventStreamData.requestContext.eventStartTime=*</P> <P>Index= caudit eventName=507<BR /> |search "EventStreamData.args.verificationId"="8387be8f"<BR /> |EventStreamData.response.verificationStatus"=PROCESSED<BR /> |EventStreamData.requestContext.eventEndTime=*</P> Sun, 27 Jan 2019 19:46:21 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-stats-from-different-events/m-p/429514#M122856 vkari 2019-01-27T19:46:21Z https://community.splunk.com/t5/Splunk-Search/How-to-get-stats-from-different-events/m-p/429515#M122857 <P>I gave you enough for you to craft a complete solution. I cannot help you because you are mixing and matching things that do not make sense. You cannot really have a start, end, and average time. You need to be more clear about your example. In any case, I think if you really think about my answer, it has everything that you need to do anything that you might like to do.</P> Sun, 27 Jan 2019 22:36:26 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-stats-from-different-events/m-p/429515#M122857 woodcock 2019-01-27T22:36:26Z