https://community.splunk.com/t5/Splunk-Search/How-to-search-between-two-lines/m-p/626950#M217882 <P>Hello All,</P> <P>I have following lines in the log file -</P> <P>&nbsp;</P> <LI-CODE lang="markup">Server8 runiyal 2023-01-12 09:48:41,880 INFO Plugin.DOCUMENT Bytes size from input stream : 2072823 server8 runiyal 2023-01-12 09:48:41,978 INFO Plugin.DOCUMENT File size after upload to temp folder: 2072823 server8 runiyal 2023-01-12 09:48:43,391 SUCCESS Plugin.DOCUMENT File size after notifying the docrepo : 2072823</LI-CODE> <P>&nbsp;</P> <P>I want to -<BR />1. Search for the DocID in the end &lt;2072823&gt;; It should have SUCCESS written in line. (Line3)<BR />2. It should then look at the above line with string "from input stream" for the same DocID (Line 1)<BR />3. Reduce the timestamp from SUCCESS line (3) to the timestamp in line with the text "from input stream" (Line 1) - Result will be in seconds<BR />4. Result should be in two columns: "DocID" and "Time Taken" (4)</P> <P>Will appreciate your inputs on how this can be achieved. Thanks!</P> Thu, 12 Jan 2023 20:39:01 GMT runiyal 2023-01-12T20:39:01Z https://community.splunk.com/t5/Splunk-Search/How-to-search-between-two-lines/m-p/626950#M217882 <P>Hello All,</P> <P>I have following lines in the log file -</P> <P>&nbsp;</P> <LI-CODE lang="markup">Server8 runiyal 2023-01-12 09:48:41,880 INFO Plugin.DOCUMENT Bytes size from input stream : 2072823 server8 runiyal 2023-01-12 09:48:41,978 INFO Plugin.DOCUMENT File size after upload to temp folder: 2072823 server8 runiyal 2023-01-12 09:48:43,391 SUCCESS Plugin.DOCUMENT File size after notifying the docrepo : 2072823</LI-CODE> <P>&nbsp;</P> <P>I want to -<BR />1. Search for the DocID in the end &lt;2072823&gt;; It should have SUCCESS written in line. (Line3)<BR />2. It should then look at the above line with string "from input stream" for the same DocID (Line 1)<BR />3. Reduce the timestamp from SUCCESS line (3) to the timestamp in line with the text "from input stream" (Line 1) - Result will be in seconds<BR />4. Result should be in two columns: "DocID" and "Time Taken" (4)</P> <P>Will appreciate your inputs on how this can be achieved. Thanks!</P> Thu, 12 Jan 2023 20:39:01 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-between-two-lines/m-p/626950#M217882 runiyal 2023-01-12T20:39:01Z https://community.splunk.com/t5/Splunk-Search/How-to-search-between-two-lines/m-p/626954#M217884 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/138387">@runiyal</a>,</P><P>I suppose that you already extracted the DocID field, otherwise you have to add a rex command before the stats command.</P><P>you could use the transaction command</P><LI-CODE lang="markup">index=your_index 1. (SUCCESS OR "from input stream" OR "from input stream") | transaction DocID | rename duration AS "Time Taken" | table DocID "Time Taken"</LI-CODE><P>that's very slow, so try this different approach:</P><LI-CODE lang="markup">index=your_index 1. (SUCCESS OR "from input stream" OR "from input stream") | stats earliest(_time) AS earliest latest(_time) AS latest BY DocID | eval Time_Take=latest-earliest | table DocID Time_Taken | rename Time_Taken AS "Time Taken"</LI-CODE><P>Ciao.</P><P>Giuseppe</P><P>&nbsp;</P> Thu, 12 Jan 2023 16:45:45 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-between-two-lines/m-p/626954#M217884 gcusello 2023-01-12T16:45:45Z https://community.splunk.com/t5/Splunk-Search/How-to-search-between-two-lines/m-p/626967#M217888 <P><SPAN>Thanks&nbsp;</SPAN><SPAN>Giuseppe.. I have to extract the docID field too.</SPAN></P> Thu, 12 Jan 2023 18:51:38 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-between-two-lines/m-p/626967#M217888 runiyal 2023-01-12T18:51:38Z https://community.splunk.com/t5/Splunk-Search/How-to-search-between-two-lines/m-p/627026#M217919 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/138387">@runiyal</a>,</P><P>in this case. you have to add a regex extraction to your search:</P><P>with transaction:</P><LI-CODE lang="markup">index=your_index 1. (SUCCESS OR "from input stream" OR "from input stream") | rex "(?&lt;DocID&gt;\d+)$" | transaction DocID | rename duration AS "Time Taken" | table DocID "Time Taken"</LI-CODE><P>or with stats (better):</P><LI-CODE lang="markup">index=your_index 1. (SUCCESS OR "from input stream" OR "from input stream") | rex "(?&lt;DocID&gt;\d+)$" | stats earliest(_time) AS earliest latest(_time) AS latest BY DocID | eval Time_Take=latest-earliest | table DocID Time_Taken | rename Time_Taken AS "Time Taken"</LI-CODE><P>You can test the regex at&nbsp;<A href="https://regex101.com/r/TgQtHA/1" target="_blank">https://regex101.com/r/TgQtHA/1</A></P><P>Ciao.</P><P>Giuseppe</P> Fri, 13 Jan 2023 07:09:24 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-between-two-lines/m-p/627026#M217919 gcusello 2023-01-13T07:09:24Z