https://community.splunk.com/t5/Splunk-Search/Duration-of-two-events-by-status/m-p/312464#M164789 <P>You can probably do this by using <CODE>reverse</CODE> and <CODE>dedup</CODE> command. Are both ip and status an extracted fields? If yes, something like this would work.</P> <PRE><CODE>your base search | reverse | dedup ip status | stats range(_time) by ip </CODE></PRE> Mon, 27 Nov 2017 16:14:29 GMT somesoni2 2017-11-27T16:14:29Z https://community.splunk.com/t5/Splunk-Search/Duration-of-two-events-by-status/m-p/312462#M164787 <P>hi,<BR /> my raw data look like this:</P> <P>12:01:11:000 ip: "123.456.789" = "1"<BR /> 12:01:12:000 ip: "123.456.789" = "1"<BR /> 12:01:13:000 ip: "123.456.789" = "1"<BR /> 12:01:14:000 ip: "123.456.789" = "2"<BR /> 12:01:15:000 ip: "123.456.789" = "2"<BR /> 12:01:16:000 ip: "123.456.789" = "1"<BR /> 12:01:17:000 ip: "123.456.789" = "1"</P> <P>Now i want to calculate the duration only between the first event of "1" and "2". In other words, the duration when the ip shows the status "1". I tried some transaction and streamstats commands but nothing worked properly.</P> <P>Thanks for your help!</P> Mon, 27 Nov 2017 14:11:25 GMT https://community.splunk.com/t5/Splunk-Search/Duration-of-two-events-by-status/m-p/312462#M164787 reschal 2017-11-27T14:11:25Z https://community.splunk.com/t5/Splunk-Search/Duration-of-two-events-by-status/m-p/312463#M164788 <P>You could try with the transaction command:</P> <PRE><CODE>index=&lt;your_index&gt; sourcetype=&lt;your_sourcetype&gt; | transaction ip endswith=value=2 | eval keep=mvfilter(match(value, "1")) | where keep=1 </CODE></PRE> <P>Assuming you are extracting the ip under field "ip" and values 1/2 under field "value"</P> Mon, 27 Nov 2017 15:46:01 GMT https://community.splunk.com/t5/Splunk-Search/Duration-of-two-events-by-status/m-p/312463#M164788 damien_chillet 2017-11-27T15:46:01Z https://community.splunk.com/t5/Splunk-Search/Duration-of-two-events-by-status/m-p/312464#M164789 <P>You can probably do this by using <CODE>reverse</CODE> and <CODE>dedup</CODE> command. Are both ip and status an extracted fields? If yes, something like this would work.</P> <PRE><CODE>your base search | reverse | dedup ip status | stats range(_time) by ip </CODE></PRE> Mon, 27 Nov 2017 16:14:29 GMT https://community.splunk.com/t5/Splunk-Search/Duration-of-two-events-by-status/m-p/312464#M164789 somesoni2 2017-11-27T16:14:29Z https://community.splunk.com/t5/Splunk-Search/Duration-of-two-events-by-status/m-p/312465#M164790 <P>(I loaded your sample data into my test box then I did a field extraction for the IP and another for CODE.)</P> <PRE><CODE>index=main sourcetype=reschal2 | sort _time | table _time, CODE | streamstats range(_time) as DURATION by CODE reset_on_change=true </CODE></PRE> <P>Those commands will show you how long it was "1", then "2" then "1" again.</P> <P>Here are some screenshots....</P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/3936i147679A359344107/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> Mon, 27 Nov 2017 20:00:38 GMT https://community.splunk.com/t5/Splunk-Search/Duration-of-two-events-by-status/m-p/312465#M164790 lycollicott 2017-11-27T20:00:38Z https://community.splunk.com/t5/Splunk-Search/Duration-of-two-events-by-status/m-p/312466#M164791 <P>Don't know why the screenshot isn't displaying and the site won't let me upload another. <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span> </P> Mon, 27 Nov 2017 20:22:08 GMT https://community.splunk.com/t5/Splunk-Search/Duration-of-two-events-by-status/m-p/312466#M164791 lycollicott 2017-11-27T20:22:08Z https://community.splunk.com/t5/Splunk-Search/Duration-of-two-events-by-status/m-p/312467#M164792 <P>I would change <CODE>| sort _time</CODE> to <CODE>| sort 0 _time</CODE> in order to avoid it to be truncated after 10K rows (default limit). </P> Mon, 27 Nov 2017 20:51:29 GMT https://community.splunk.com/t5/Splunk-Search/Duration-of-two-events-by-status/m-p/312467#M164792 somesoni2 2017-11-27T20:51:29Z https://community.splunk.com/t5/Splunk-Search/Duration-of-two-events-by-status/m-p/312468#M164793 <P>Thank you. Your answer works great. By adding</P> <P>|table _time duration |eval duration=tostring(duration,"duration")| sort -_time</P> <P>i get a proper solution!</P> Tue, 29 Sep 2020 17:01:22 GMT https://community.splunk.com/t5/Splunk-Search/Duration-of-two-events-by-status/m-p/312468#M164793 reschal 2020-09-29T17:01:22Z https://community.splunk.com/t5/Splunk-Search/Duration-of-two-events-by-status/m-p/312469#M164794 <P>Yea, i forgot to mention duration would be stored under duration field, that's great you found it!</P> <P>Thanks for accepting my answer and happy Splunking!</P> Tue, 28 Nov 2017 09:36:15 GMT https://community.splunk.com/t5/Splunk-Search/Duration-of-two-events-by-status/m-p/312469#M164794 damien_chillet 2017-11-28T09:36:15Z