https://community.splunk.com/t5/Splunk-Search/Correlating-Different-Events-and-Calculating-Time-Difference/m-p/252726#M189353 <P>How many times these events can happen from one host in a day?</P> Fri, 18 Mar 2016 21:34:52 GMT somesoni2 2016-03-18T21:34:52Z https://community.splunk.com/t5/Splunk-Search/Correlating-Different-Events-and-Calculating-Time-Difference/m-p/252724#M189351 <P>I’m trying to report on the time difference between two related events. Both events are collected from Windows event log and are in the same index. They will occur on the same host but at different times and IDs.<BR /> Example event data:</P> <P>Time: 3/11/2016 9:00:45 PM <BR /> EventID: 1000 <BR /> Source: Backup Agent Message: <BR /> Backup Started <BR /> Host: Server1 <BR /> Time: 3/12/2016 1:09:45 AM</P> <P>EventID: 1001<BR /> Source: Backup Agent<BR /> Message: Backup Completed<BR /> Host: Server1</P> <P>The second event can occur any time after the first, maybe in a few minutes or a few hours. I’m thinking I need to find event 1(1000) first and then look for the first occurrence of event 2 afterwards. The index would contain similar events from many hosts around the same time.<BR /> I’ve tried various attempts with joins, transactions, and subsearches and searching the documentation for suggestions with no luck. I’m really not concerned with any of the data in the event other than the time (which I would eval to a start and end time). The goal is to be able to run a report over a time span to show the start/end times for each host.</P> <P>This gets me close but doesn’t scale to multiple hosts/time ranges:</P> <PRE><CODE>index="wineventlog" SourceName="Backup Agent" (EventCode="1000" OR EventCode="1001") | transaction maxspan=4h startswith=(EventCode="1000") endswith=(EventCode="1001") | table host,duration </CODE></PRE> Fri, 18 Mar 2016 19:10:24 GMT https://community.splunk.com/t5/Splunk-Search/Correlating-Different-Events-and-Calculating-Time-Difference/m-p/252724#M189351 dw385 2016-03-18T19:10:24Z https://community.splunk.com/t5/Splunk-Search/Correlating-Different-Events-and-Calculating-Time-Difference/m-p/252725#M189352 <P>Try this first:</P> <PRE><CODE> index="wineventlog" SourceName="Backup Agent" (EventCode="1000" OR EventCode="1001") | transaction host maxspan=4h startswith=(EventCode="1000") endswith=(EventCode="1001") | table host,duration </CODE></PRE> <P>All I did was add <CODE>host</CODE> to the transaction command. This should help, but it still may not be a good solution, if you have a long time range.<BR /> You could also try this:</P> <PRE><CODE> index="wineventlog" SourceName="Backup Agent" (EventCode="1000" OR EventCode="1001") | sort host,_time | eval starttime=if(EventCode="1000",_time,null()) | eval endtime=if(EventCode="1001",_time,null()) | streamstats current=t window=2 global=f latest(starttime) as start latest(endtime) as end by host | where isnotnull(endtime) | eval duration=end-start </CODE></PRE> <P>This solution should work with somewhat larger timeframes. I am not sure how well it will work if you have multiple backups for a single host.</P> Fri, 18 Mar 2016 21:33:56 GMT https://community.splunk.com/t5/Splunk-Search/Correlating-Different-Events-and-Calculating-Time-Difference/m-p/252725#M189352 lguinn2 2016-03-18T21:33:56Z https://community.splunk.com/t5/Splunk-Search/Correlating-Different-Events-and-Calculating-Time-Difference/m-p/252726#M189353 <P>How many times these events can happen from one host in a day?</P> Fri, 18 Mar 2016 21:34:52 GMT https://community.splunk.com/t5/Splunk-Search/Correlating-Different-Events-and-Calculating-Time-Difference/m-p/252726#M189353 somesoni2 2016-03-18T21:34:52Z https://community.splunk.com/t5/Splunk-Search/Correlating-Different-Events-and-Calculating-Time-Difference/m-p/252727#M189354 <P>Usually only one occurrence but its possible to see multiple in a day as jobs are restarted.</P> Mon, 21 Mar 2016 12:04:19 GMT https://community.splunk.com/t5/Splunk-Search/Correlating-Different-Events-and-Calculating-Time-Difference/m-p/252727#M189354 dw385 2016-03-21T12:04:19Z