https://community.splunk.com/t5/Splunk-Search/How-to-get-the-start-and-end-time-based-on-key-words-in-logs/m-p/629828#M218810 <P>Use rex to extract the file name portion from the string that you want.</P><P>For example, if you have the _raw string which contains your data as in your example, you can do this regular expression to extract the filex/filey parts</P><LI-CODE lang="markup">| rex " \d{6}_(?&lt;file&gt;[A-Za-z0-9]+)"</LI-CODE><P>that looks for a space + 6 digits then an _ before it then extracts a new field called "file" containing just the characters in the square brackets.</P><P>If you already have a field containing that entire string, then use</P><LI-CODE lang="markup">| rex field=your_field "\d{6}_(?&lt;file&gt;[A-Za-z0-9]+)"</LI-CODE><P>or change the regex as needed.&nbsp;</P><P>&nbsp;</P> Tue, 07 Feb 2023 05:59:10 GMT bowesmana 2023-02-07T05:59:10Z https://community.splunk.com/t5/Splunk-Search/How-to-get-the-start-and-end-time-based-on-key-words-in-logs/m-p/629664#M218752 <P>Hi folks looking for some expert opinion.</P> <P>my logs contains many diff files. I want to capture the start and end time for each file&nbsp;</P> <P>the logs looks like this</P> <P>timestamp 202301_filex_a_b.z started execution</P> <P>timestamp 202301_filex_a_b.z finished execution</P> <P>timestamp 202301_filey_e_f.z started execution</P> <P>timestamp 202301_filey_e_f.z finished execution</P> <P>The output would look something like</P> <P>filex | start timestamp | end timestamp | duration</P> <P>filey&nbsp;| start timestamp | end timestamp | duration</P> <P>I was able to do write diff search for start and end and then join them on the filename, but wondering if there is a better way to do it</P> <P>&nbsp;</P> Mon, 06 Feb 2023 15:08:39 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-the-start-and-end-time-based-on-key-words-in-logs/m-p/629664#M218752 merc14 2023-02-06T15:08:39Z https://community.splunk.com/t5/Splunk-Search/How-to-get-the-start-and-end-time-based-on-key-words-in-logs/m-p/629665#M218753 <P>Simple method is</P><LI-CODE lang="markup">| stats min(_time) as start max(_time) as end by file | eval duration=end-start</LI-CODE><P>That assumes the following</P><UL><LI>you have a field "file" containing the file name</LI><LI>_time is the log timestamp of the event</LI><LI>there are only 2 log messages per file and start always comes before end</LI></UL><P>It simply calculates the minimum and maximum value for the time and then calculates duration</P> Mon, 06 Feb 2023 03:47:34 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-the-start-and-end-time-based-on-key-words-in-logs/m-p/629665#M218753 bowesmana 2023-02-06T03:47:34Z https://community.splunk.com/t5/Splunk-Search/How-to-get-the-start-and-end-time-based-on-key-words-in-logs/m-p/629822#M218807 <P>need one more clarification, here file is a substring (filex, filey), can you please let me know how I can get the value for file&nbsp; and combine it with | stats&nbsp;</P> Tue, 07 Feb 2023 04:32:33 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-the-start-and-end-time-based-on-key-words-in-logs/m-p/629822#M218807 merc14 2023-02-07T04:32:33Z https://community.splunk.com/t5/Splunk-Search/How-to-get-the-start-and-end-time-based-on-key-words-in-logs/m-p/629828#M218810 <P>Use rex to extract the file name portion from the string that you want.</P><P>For example, if you have the _raw string which contains your data as in your example, you can do this regular expression to extract the filex/filey parts</P><LI-CODE lang="markup">| rex " \d{6}_(?&lt;file&gt;[A-Za-z0-9]+)"</LI-CODE><P>that looks for a space + 6 digits then an _ before it then extracts a new field called "file" containing just the characters in the square brackets.</P><P>If you already have a field containing that entire string, then use</P><LI-CODE lang="markup">| rex field=your_field "\d{6}_(?&lt;file&gt;[A-Za-z0-9]+)"</LI-CODE><P>or change the regex as needed.&nbsp;</P><P>&nbsp;</P> Tue, 07 Feb 2023 05:59:10 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-the-start-and-end-time-based-on-key-words-in-logs/m-p/629828#M218810 bowesmana 2023-02-07T05:59:10Z