https://community.splunk.com/t5/Splunk-Search/calculate-sum-of-duration-between-events/m-p/469854#M132212 <P>I have events like below</P> <PRE><CODE>2019-10-21 04:17:54.968, rev=true 2019-10-21 04:17:55.968, rev=true 2019-10-21 04:17:56.968, rev=false 2019-10-21 04:17:57.968, rev=false 2019-10-21 04:17:58.968, rev=true 2019-10-21 04:17:59.968, rev=true 2019-10-21 04:18:00.968, rev=true </CODE></PRE> <P>Here I want to calculate duration starts from <CODE>rev=true</CODE> till <CODE>rev=false</CODE> and then sum these duration. from above events I would like to calculate duration from <CODE>2019-10-21 04:17:54.968</CODE> till <CODE>2019-10-21 04:17:56.968</CODE> and again from <CODE>2019-10-21 04:17:58.968</CODE> till <BR /> <CODE>2019-10-21 04:18:00.968</CODE>. I tried <CODE>transaction</CODE> command but unable to succeed .<BR /> kindly help.</P> Fri, 25 Oct 2019 12:20:54 GMT ips_mandar 2019-10-25T12:20:54Z https://community.splunk.com/t5/Splunk-Search/calculate-sum-of-duration-between-events/m-p/469854#M132212 <P>I have events like below</P> <PRE><CODE>2019-10-21 04:17:54.968, rev=true 2019-10-21 04:17:55.968, rev=true 2019-10-21 04:17:56.968, rev=false 2019-10-21 04:17:57.968, rev=false 2019-10-21 04:17:58.968, rev=true 2019-10-21 04:17:59.968, rev=true 2019-10-21 04:18:00.968, rev=true </CODE></PRE> <P>Here I want to calculate duration starts from <CODE>rev=true</CODE> till <CODE>rev=false</CODE> and then sum these duration. from above events I would like to calculate duration from <CODE>2019-10-21 04:17:54.968</CODE> till <CODE>2019-10-21 04:17:56.968</CODE> and again from <CODE>2019-10-21 04:17:58.968</CODE> till <BR /> <CODE>2019-10-21 04:18:00.968</CODE>. I tried <CODE>transaction</CODE> command but unable to succeed .<BR /> kindly help.</P> Fri, 25 Oct 2019 12:20:54 GMT https://community.splunk.com/t5/Splunk-Search/calculate-sum-of-duration-between-events/m-p/469854#M132212 ips_mandar 2019-10-25T12:20:54Z https://community.splunk.com/t5/Splunk-Search/calculate-sum-of-duration-between-events/m-p/469855#M132213 <PRE><CODE>| stats count | eval raw="2019-10-21 04:17:57.968, rev=false 2019-10-21 04:17:54.968, rev=true 2019-10-21 04:17:55.968, rev=true 2019-10-21 04:17:56.968, rev=false 2019-10-21 04:17:57.968, rev=false 2019-10-21 04:17:58.968, rev=true 2019-10-21 04:17:59.968, rev=true 2019-10-21 04:18:00.968, rev=true" | makemv delim=" " raw | mvexpand raw | rex field=raw "^(?&lt;time&gt;[^,]+), rev=(?&lt;rev&gt;\w+)" | eval _time=strptime(time,"%Y-%m-%d %H:%M:%S.%3Q") | table _time rev `comment("this is sample data")` | streamstats count(eval(rev=="true")) as count max(_time) as new min(_time) as old reset_after="("rev==\"false\"")" | eventstats count as event_count | streamstats count as stream_count | eval duration = if(rev == "false" OR event_count==stream_count , new - old , NULL) </CODE></PRE> <P>Hi, this is sample query.<BR /> How about it?</P> <P>If you have multiple sources:</P> <PRE><CODE>| stats count | eval raw="2019-10-21 04:17:54.968, rev=true 2019-10-21 04:17:55.968, rev=true 2019-10-21 04:17:56.968, rev=false 2019-10-21 04:17:57.968, rev=false 2019-10-21 04:17:58.968, rev=true 2019-10-21 04:17:59.968, rev=true 2019-10-21 04:18:00.968, rev=true" | eval source="sourceA sourceB sourceC" | makemv delim=" " source | mvexpand source | makemv delim=" " raw | mvexpand raw | rex field=raw "^(?&lt;time&gt;[^,]+), rev=(?&lt;rev&gt;\w+)" | eval _time=strptime(time,"%Y-%m-%d %H:%M:%S.%3Q") | table _time rev source `comment("this is sample data")` | sort 0 source _time | streamstats count(eval(rev=="true")) as count max(_time) as new min(_time) as old reset_after="("rev==\"false\"")" by source | eventstats count as event_count by source | streamstats count as stream_count by source | eval duration = if(rev == "false" OR event_count==stream_count , new - old , NULL) </CODE></PRE> <P>If you put the <CODE>source</CODE> on the table, it will move.</P> Fri, 25 Oct 2019 14:51:58 GMT https://community.splunk.com/t5/Splunk-Search/calculate-sum-of-duration-between-events/m-p/469855#M132213 to4kawa 2019-10-25T14:51:58Z https://community.splunk.com/t5/Splunk-Search/calculate-sum-of-duration-between-events/m-p/469856#M132214 <P>Like this:</P> <PRE><CODE>| makeresults | eval raw="_time=2019-10-2T04:17:54.968,rev=true _time=2019-10-21T04:17:55.968,rev=true _time=2019-10-21T04:17:56.968,rev=false _time=2019-10-21T04:17:57.968,rev=false _time=2019-10-21T04:17:58.968,rev=true _time=2019-10-21T04:17:59.968,rev=true _time=2019-10-21T04:18:00.968,rev=true" | makemv raw | mvexpand raw | rename raw AS _raw | fields - _time | kv | eval _time = strptime(time, "%Y-%m-%dT%H:%M:%S") | sort 0 - _time | rename COMMENT AS "Everything above generates sample event data; everything below is your solution" | streamstats count(eval(rev="false")) AS sessionID | eventstats last(rev) AS first_rev first(rev) AS last_rev BY sessionID | search first_rev = "true" | stats min(_time) AS _time range(_time) AS duration BY sessionID | fieldformat duration = tostring(duration, "duration") </CODE></PRE> Sat, 26 Oct 2019 00:45:25 GMT https://community.splunk.com/t5/Splunk-Search/calculate-sum-of-duration-between-events/m-p/469856#M132214 woodcock 2019-10-26T00:45:25Z https://community.splunk.com/t5/Splunk-Search/calculate-sum-of-duration-between-events/m-p/469857#M132215 <P>Thanks @to4kawa. It is working if I separately mention source but I want to work it for all source.<BR /> so I tried <CODE>... | streamstats count(eval(rev=="true")) as count max(_time) as new min(_time) as old reset_after="("rev==\"false\"")" global=false by source...</CODE><BR /> but it is not working as expected .Please help here.</P> Mon, 28 Oct 2019 06:06:26 GMT https://community.splunk.com/t5/Splunk-Search/calculate-sum-of-duration-between-events/m-p/469857#M132215 ips_mandar 2019-10-28T06:06:26Z https://community.splunk.com/t5/Splunk-Search/calculate-sum-of-duration-between-events/m-p/469858#M132216 <P>If I understand your question right, this is fairly simple, try this</P> <PRE><CODE>your base search | sort _time | eval row_num=1 | streamstats sum(row_num) as row_num by rev reset_on_change=true | delta _time as timediff | eval timediff=if(row_num==1, 0, timediff) | streamstats sum(timediff) as timediff by rev reset_on_change=true | streamstats max(timediff) as max_timediff by rev reset_on_change=true | where timediff=max_timediff and rev=="true" | stats sum(timediff) </CODE></PRE> <P>Let me know if this works for you. If yes, please upvote and mark as answer</P> <P>Cheers</P> Tue, 29 Oct 2019 10:52:23 GMT https://community.splunk.com/t5/Splunk-Search/calculate-sum-of-duration-between-events/m-p/469858#M132216 arjunpkishore5 2019-10-29T10:52:23Z