https://community.splunk.com/t5/Splunk-Search/Duration-between-events-Max-gap-not-the-start-and-end-points/m-p/500520#M139348 <P>no... can't be this straight forward</P> <P>| streamstats current=t window=2 range(_time) AS duration BY customerNumber <BR /> | stats min(duration) AS Min max(duration) AS Max avg(duration) AS Avg BY customerNumber </P> Tue, 04 Feb 2020 10:31:52 GMT stephenreece 2020-02-04T10:31:52Z https://community.splunk.com/t5/Splunk-Search/Duration-between-events-Max-gap-not-the-start-and-end-points/m-p/500519#M139347 <P>hi all .</P> <P>I am trying to create a map where I can look at users max duration between logins who register with us between 2 fixed dates i.e. jan17-feb17.</P> <P>So i have the following which is interesting but doesnt give the max length.</P> <P>| dedup eventId <BR /> | stats count(_time) as appear_count, values(_time) as appear_dates max(_time) as last min(_time) as latest by customerNumber<BR /> | eval first_appear=strftime(first,"%d/%m/%Y") <BR /> | eval last_appear=strftime(last,"%d/%m/%Y") <BR /> | eval appear_dates=strftime(appear_dates,"%d/%m/%Y") <BR /> | eval duration=(last-latest)<BR /> | eval duration=round((last-first)/86400)<BR /> | where first&lt;01/02/2019</P> <P>For example i have a user that has used the service 400 times with a max break of about a week. So i needed the search to pick up the user where first appear = jan-feb2017 and then i need to know that this user has had at max a weeks break between accessing.</P> <P>Does this make sense. </P> <P>Its almost as if i need towrite the search to collect all users where first&lt;28/02/2017.<BR /><BR /> - and then i need to eval each event in order and subtract the later from the earlier,.. so for someone who accessed the service 5 times it would be</P> <P>USER ONE <BR /> first=22/02/2017<BR /> event 1 22/02/2017<BR /> event 2 25/02/2017 (diff between event 2-1 = 3days)<BR /> event 3 01/03/2017 (diff between event 3-2 = 4days)<BR /> <STRONG>event 4 09/03/2017 (diff between event 2-1 = 8days)</STRONG> <BR /> LAST event 5 10/03/2017 (diff between event 2-1 = 1day)</P> <P><STRONG>Therefore max duration between events = 8days</STRONG></P> Wed, 30 Sep 2020 03:59:57 GMT https://community.splunk.com/t5/Splunk-Search/Duration-between-events-Max-gap-not-the-start-and-end-points/m-p/500519#M139347 stephenreece 2020-09-30T03:59:57Z https://community.splunk.com/t5/Splunk-Search/Duration-between-events-Max-gap-not-the-start-and-end-points/m-p/500520#M139348 <P>no... can't be this straight forward</P> <P>| streamstats current=t window=2 range(_time) AS duration BY customerNumber <BR /> | stats min(duration) AS Min max(duration) AS Max avg(duration) AS Avg BY customerNumber </P> Tue, 04 Feb 2020 10:31:52 GMT https://community.splunk.com/t5/Splunk-Search/Duration-between-events-Max-gap-not-the-start-and-end-points/m-p/500520#M139348 stephenreece 2020-02-04T10:31:52Z https://community.splunk.com/t5/Splunk-Search/Duration-between-events-Max-gap-not-the-start-and-end-points/m-p/500521#M139349 <P>That is about the answer I was going to suggest and should give you correct results.</P> <P>If your testing shows it is (which is should be), why not write that up as your own answer, then mark it as accepted? It's perfectly acceptable to [at least occasionally] answer your own questions!</P> <P>-Rich</P> Tue, 04 Feb 2020 15:54:08 GMT https://community.splunk.com/t5/Splunk-Search/Duration-between-events-Max-gap-not-the-start-and-end-points/m-p/500521#M139349 Richfez 2020-02-04T15:54:08Z https://community.splunk.com/t5/Splunk-Search/Duration-between-events-Max-gap-not-the-start-and-end-points/m-p/500522#M139350 <P>Yep. Write it up and accept it.</P> Tue, 04 Feb 2020 19:58:41 GMT https://community.splunk.com/t5/Splunk-Search/Duration-between-events-Max-gap-not-the-start-and-end-points/m-p/500522#M139350 DalJeanis 2020-02-04T19:58:41Z