https://community.splunk.com/t5/Splunk-Search/How-to-use-streamstats-to-evaluate-events-from-different/m-p/504513#M140867 <P>Background:&nbsp; I'm trying to create a monthly report that tracks how many terminals we Add and how many terminals we Remove at a property.&nbsp; We have two separate events that track these:&nbsp; RoomTerminalAdd and RoomTerminalRemove.&nbsp;&nbsp;</P><P>Sometimes we have field reps that need to troubleshoot these terminals and end up with multiples of these events that don't actually indicate a full Add or Remove.&nbsp; I would like to "pair up" these events and evaluate the time differences based on the property, room number, and terminal address.&nbsp; If the time difference is below 15 minutes then I want to removed them from the final monthly count.&nbsp;&nbsp;</P><P>Here's a visual to help explain what I'm trying to do:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="bhavlik_0-1592261741653.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/9193iC85E6272E1963CE7/image-size/medium?v=v2&amp;px=400" role="button" title="bhavlik_0-1592261741653.png" alt="bhavlik_0-1592261741653.png" /></span></P><P>After removing these "pairs" that fit the &lt;15 min time difference, I want to then get a total count of each event type separately.&nbsp; &nbsp;TerminalsAdded=##&nbsp; TerminalsRemoved=##</P><P>I have used the command transaction in the past but won't work here as it removes any events that don't have a pair and I need to keep those for my overall count.&nbsp; My next option would be streamstats but I don't have any experience with using that command and not sure how to bring in the time difference for evaluating what to keep and what to remove from search.&nbsp;&nbsp;</P><P>Anyone out there have any advice or tips on how to reach my end goal?</P> Mon, 15 Jun 2020 23:03:00 GMT bhavlik 2020-06-15T23:03:00Z https://community.splunk.com/t5/Splunk-Search/How-to-use-streamstats-to-evaluate-events-from-different/m-p/504513#M140867 <P>Background:&nbsp; I'm trying to create a monthly report that tracks how many terminals we Add and how many terminals we Remove at a property.&nbsp; We have two separate events that track these:&nbsp; RoomTerminalAdd and RoomTerminalRemove.&nbsp;&nbsp;</P><P>Sometimes we have field reps that need to troubleshoot these terminals and end up with multiples of these events that don't actually indicate a full Add or Remove.&nbsp; I would like to "pair up" these events and evaluate the time differences based on the property, room number, and terminal address.&nbsp; If the time difference is below 15 minutes then I want to removed them from the final monthly count.&nbsp;&nbsp;</P><P>Here's a visual to help explain what I'm trying to do:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="bhavlik_0-1592261741653.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/9193iC85E6272E1963CE7/image-size/medium?v=v2&amp;px=400" role="button" title="bhavlik_0-1592261741653.png" alt="bhavlik_0-1592261741653.png" /></span></P><P>After removing these "pairs" that fit the &lt;15 min time difference, I want to then get a total count of each event type separately.&nbsp; &nbsp;TerminalsAdded=##&nbsp; TerminalsRemoved=##</P><P>I have used the command transaction in the past but won't work here as it removes any events that don't have a pair and I need to keep those for my overall count.&nbsp; My next option would be streamstats but I don't have any experience with using that command and not sure how to bring in the time difference for evaluating what to keep and what to remove from search.&nbsp;&nbsp;</P><P>Anyone out there have any advice or tips on how to reach my end goal?</P> Mon, 15 Jun 2020 23:03:00 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-streamstats-to-evaluate-events-from-different/m-p/504513#M140867 bhavlik 2020-06-15T23:03:00Z