https://community.splunk.com/t5/Splunk-Search/How-to-calculate-individual-fail-time/m-p/668388#M229299 <P><SPAN>I have following data:<BR /><FONT color="#008000">02:00:00 Item=A Result=success </FONT><BR /><FONT color="#008000">02:00:05 Item=B Result=success </FONT><BR /><FONT color="#008000">02:05:00 Item=A Result=fail </FONT><BR /><FONT color="#008000">02:05:05 Item=B Result=success </FONT><BR /><FONT color="#008000">02:10:00 Item=A Result=fail </FONT><BR /><FONT color="#008000">02:10:05 Item=B Result=success </FONT><BR /><FONT color="#008000">02:15:00 Item=A Result=success </FONT><BR /><FONT color="#008000">02:15:05 Item=B Result=fail </FONT><BR /><FONT color="#008000">02:20:00 Item=A Result=success </FONT><BR /><FONT color="#008000">02:20:05 Item=B Result=fail </FONT><BR /><FONT color="#008000">02:25:00 Item=A Result=success </FONT><BR /><FONT color="#008000">02:25:05 Item=B Result=success </FONT><BR /><FONT color="#008000">02:30:00 Item=A Result=success </FONT><BR /><FONT color="#008000">02:30:05 Item=B Result=success </FONT><BR /><FONT color="#008000">02:35:00 Item=A Result=success </FONT><BR /><FONT color="#008000">02:35:05 Item=B Result=success </FONT><BR /><FONT color="#008000">02:40:00 Item=A Result=success </FONT><BR /><FONT color="#008000">02:40:05 Item=B Result=fail </FONT><BR /><FONT color="#008000">02:45:00 Item=A Result=success </FONT><BR /><FONT color="#008000">02:45:05 Item=B Result=success </FONT><BR /><FONT color="#008000">02:50:00 Item=A Result=success </FONT><BR /><FONT color="#008000">02:50:05 Item=B Result=success </FONT><BR /><FONT color="#008000">02:55:00 Item=A Result=success </FONT><BR /><FONT color="#008000">02:55:05 Item=B Result=success</FONT><BR /><BR />My desired results:<BR /><FONT color="#993366">Item StartTime EndTime Duration </FONT><BR /><FONT color="#993366">A&nbsp; &nbsp; &nbsp; &nbsp;02:05:00&nbsp; &nbsp; 02:15:00 00:10:00</FONT><BR /><FONT color="#993366">B&nbsp; &nbsp; &nbsp; &nbsp;02:15:05&nbsp; &nbsp; 02:25:05 00:10:00</FONT><BR /><FONT color="#993366">B&nbsp; &nbsp; &nbsp; &nbsp;02:40:05&nbsp; &nbsp; 02:45:05 00:05:00</FONT><BR /><BR />I had tried <STRONG>transaction</STRONG> and <STRONG>streamstats</STRONG> but got wrong results.<BR />Can anybody here help me to solve this problem?<BR />Thank you.</SPAN></P> Mon, 13 Nov 2023 07:08:42 GMT WK 2023-11-13T07:08:42Z https://community.splunk.com/t5/Splunk-Search/How-to-calculate-individual-fail-time/m-p/668388#M229299 <P><SPAN>I have following data:<BR /><FONT color="#008000">02:00:00 Item=A Result=success </FONT><BR /><FONT color="#008000">02:00:05 Item=B Result=success </FONT><BR /><FONT color="#008000">02:05:00 Item=A Result=fail </FONT><BR /><FONT color="#008000">02:05:05 Item=B Result=success </FONT><BR /><FONT color="#008000">02:10:00 Item=A Result=fail </FONT><BR /><FONT color="#008000">02:10:05 Item=B Result=success </FONT><BR /><FONT color="#008000">02:15:00 Item=A Result=success </FONT><BR /><FONT color="#008000">02:15:05 Item=B Result=fail </FONT><BR /><FONT color="#008000">02:20:00 Item=A Result=success </FONT><BR /><FONT color="#008000">02:20:05 Item=B Result=fail </FONT><BR /><FONT color="#008000">02:25:00 Item=A Result=success </FONT><BR /><FONT color="#008000">02:25:05 Item=B Result=success </FONT><BR /><FONT color="#008000">02:30:00 Item=A Result=success </FONT><BR /><FONT color="#008000">02:30:05 Item=B Result=success </FONT><BR /><FONT color="#008000">02:35:00 Item=A Result=success </FONT><BR /><FONT color="#008000">02:35:05 Item=B Result=success </FONT><BR /><FONT color="#008000">02:40:00 Item=A Result=success </FONT><BR /><FONT color="#008000">02:40:05 Item=B Result=fail </FONT><BR /><FONT color="#008000">02:45:00 Item=A Result=success </FONT><BR /><FONT color="#008000">02:45:05 Item=B Result=success </FONT><BR /><FONT color="#008000">02:50:00 Item=A Result=success </FONT><BR /><FONT color="#008000">02:50:05 Item=B Result=success </FONT><BR /><FONT color="#008000">02:55:00 Item=A Result=success </FONT><BR /><FONT color="#008000">02:55:05 Item=B Result=success</FONT><BR /><BR />My desired results:<BR /><FONT color="#993366">Item StartTime EndTime Duration </FONT><BR /><FONT color="#993366">A&nbsp; &nbsp; &nbsp; &nbsp;02:05:00&nbsp; &nbsp; 02:15:00 00:10:00</FONT><BR /><FONT color="#993366">B&nbsp; &nbsp; &nbsp; &nbsp;02:15:05&nbsp; &nbsp; 02:25:05 00:10:00</FONT><BR /><FONT color="#993366">B&nbsp; &nbsp; &nbsp; &nbsp;02:40:05&nbsp; &nbsp; 02:45:05 00:05:00</FONT><BR /><BR />I had tried <STRONG>transaction</STRONG> and <STRONG>streamstats</STRONG> but got wrong results.<BR />Can anybody here help me to solve this problem?<BR />Thank you.</SPAN></P> Mon, 13 Nov 2023 07:08:42 GMT https://community.splunk.com/t5/Splunk-Search/How-to-calculate-individual-fail-time/m-p/668388#M229299 WK 2023-11-13T07:08:42Z https://community.splunk.com/t5/Splunk-Search/How-to-calculate-individual-fail-time/m-p/668391#M229300 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/262416">@WK</a>,</P><P>what's the condition fro grouping?</P><P>How can I recognize StartTime and EndTime?</P><P>this is one of the few situation where to use the transactin command.</P><P>if you want to trace when there's a Fail and a following Success, you could try somethin like this:</P><LI-CODE lang="markup">&lt;your_search&gt; | transaction Item StartsWith="Result=Fail" EndsWith="Result=Success" | eval StartTime=strftime(_time,"%H:%M:%S), EndTime=strftime(_time+duration,"%H:%M:%S), Duration=tostring(duration,"duration") | table Item StartTime EndTime Duration</LI-CODE><P>Ciao.</P><P>Giuseppe</P><P>&nbsp;</P> Mon, 13 Nov 2023 07:14:43 GMT https://community.splunk.com/t5/Splunk-Search/How-to-calculate-individual-fail-time/m-p/668391#M229300 gcusello 2023-11-13T07:14:43Z https://community.splunk.com/t5/Splunk-Search/How-to-calculate-individual-fail-time/m-p/668393#M229301 <P>Thanks for your swift response.<BR />I need to calculate the duration between first "fail" to first "success" for every Item.<BR />Unfortunately the result is incorrect:<BR /><FONT color="#993366">Item StartTime EndTime Duration</FONT><BR /><FONT color="#993366">B&nbsp; &nbsp; &nbsp; &nbsp; 02:40:05 02:45:05 00:05:00</FONT><BR /><STRONG><FONT color="#FF0000">B&nbsp; &nbsp; &nbsp; &nbsp; 02:20:05 02:25:05 00:05:00</FONT></STRONG><BR /><STRONG><FONT color="#FF0000">B&nbsp; &nbsp; &nbsp; &nbsp; 02:15:05 02:30:05 00:15:00&nbsp; &nbsp; &nbsp;==&gt; should be "B&nbsp; 02:15:05 02:25:05 00:10:00"</FONT></STRONG><BR /><STRONG><FONT color="#FF0000">A&nbsp; &nbsp; &nbsp; &nbsp; 02:10:00 02:15:00 00:05:00</FONT></STRONG><BR /><STRONG><FONT color="#FF0000">A&nbsp; &nbsp; &nbsp; &nbsp; 02:05:00 02:20:00 00:15:00&nbsp; &nbsp; &nbsp;==&gt; should be "A&nbsp; 02:05:00 02:15:00 00:10:00"</FONT></STRONG></P><P><FONT color="#000000">I'd tried this method before, however consecutive "Result=fail" causes overlapped results.</FONT></P> Mon, 13 Nov 2023 07:30:55 GMT https://community.splunk.com/t5/Splunk-Search/How-to-calculate-individual-fail-time/m-p/668393#M229301 WK 2023-11-13T07:30:55Z https://community.splunk.com/t5/Splunk-Search/How-to-calculate-individual-fail-time/m-p/668461#M229322 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/161352">@gcusello</a>'s answer should give you the desired output. &nbsp;Is it possible that some events come out of order? &nbsp;You can use sort to make sure events are in perfect revere time order.</P><P>&nbsp;</P><LI-CODE lang="markup">| sort - _time | transaction Item startswith="Result=fail" endswith="Result=success" | eval EndTime = _time + duration | fieldformat EndTime = strftime(EndTime, "%F %T") | fieldformat duration = tostring(duration, "duration") | fields Item _time EndTime duration</LI-CODE><P>&nbsp;</P><P>Here you can rename _time as StartTime if you wish, then format it for display. &nbsp;For large number of events, sort can be expensive. &nbsp;This is one of the costs of transaction when raw events are not perfectly in order.</P><P>Here is an emulation you can play with and compare with raw data</P><P>&nbsp;</P><LI-CODE lang="markup">| makeresults | eval data = split("02:00:00 Item=A Result=success 02:00:05 Item=B Result=success 02:05:00 Item=A Result=fail 02:05:05 Item=B Result=success 02:10:00 Item=A Result=fail 02:10:05 Item=B Result=success 02:15:00 Item=A Result=success 02:15:05 Item=B Result=fail 02:20:00 Item=A Result=success 02:20:05 Item=B Result=fail 02:25:00 Item=A Result=success 02:25:05 Item=B Result=success 02:30:00 Item=A Result=success 02:30:05 Item=B Result=success 02:35:00 Item=A Result=success 02:35:05 Item=B Result=success 02:40:00 Item=A Result=success 02:40:05 Item=B Result=fail 02:45:00 Item=A Result=success 02:45:05 Item=B Result=success 02:50:00 Item=A Result=success 02:50:05 Item=B Result=success 02:55:00 Item=A Result=success 02:55:05 Item=B Result=success", " ") | mvexpand data | rename data as _raw | rex "^(?&lt;_time&gt;\S+)" | eval _time = strptime(_time, "%H:%M:%S") | extract ``` data emulation above ```</LI-CODE><P>&nbsp;</P><P>Combining the two, I get</P><TABLE><TBODY><TR><TD>Item</TD><TD>_time</TD><TD>EndTime</TD><TD>duration</TD><TD>_raw</TD></TR><TR><TD>B</TD><TD>2023-11-13 02:40:05</TD><TD>2023-11-13 02:45:05</TD><TD>00:05:00</TD><TD>02:40:05 Item=B Result=fail 02:45:05 Item=B Result=success</TD></TR><TR><TD>B</TD><TD>2023-11-13 02:20:05</TD><TD>2023-11-13 02:25:05</TD><TD>00:05:00</TD><TD>02:20:05 Item=B Result=fail 02:25:05 Item=B Result=success</TD></TR><TR><TD>B</TD><TD>2023-11-13 02:15:05</TD><TD>2023-11-13 02:30:05</TD><TD>00:15:00</TD><TD>02:15:05 Item=B Result=fail 02:30:05 Item=B Result=success</TD></TR><TR><TD>A</TD><TD>2023-11-13 02:10:00</TD><TD>2023-11-13 02:15:00</TD><TD>00:05:00</TD><TD>02:10:00 Item=A Result=fail 02:15:00 Item=A Result=success</TD></TR><TR><TD>A</TD><TD>2023-11-13 02:05:00</TD><TD>2023-11-13 02:20:00</TD><TD>00:15:00</TD><TD>02:05:00 Item=A Result=fail 02:20:00 Item=A Result=success</TD></TR></TBODY></TABLE> Mon, 13 Nov 2023 17:46:02 GMT https://community.splunk.com/t5/Splunk-Search/How-to-calculate-individual-fail-time/m-p/668461#M229322 yuanliu 2023-11-13T17:46:02Z https://community.splunk.com/t5/Splunk-Search/How-to-calculate-individual-fail-time/m-p/668491#M229332 <P>Hi,</P><P>Thanks for your response.<BR /><SPAN>My desired results:</SPAN><BR /><FONT color="#993366">Item StartTime EndTime Duration</FONT><BR /><FONT color="#993366">A&nbsp; &nbsp; &nbsp; &nbsp;02:05:00&nbsp; &nbsp; 02:15:00 00:10:00</FONT><BR /><FONT color="#993366">B&nbsp; &nbsp; &nbsp; &nbsp;02:15:05&nbsp; &nbsp; 02:25:05 00:10:00</FONT><BR /><FONT color="#993366">B&nbsp; &nbsp; &nbsp; &nbsp;02:40:05&nbsp; &nbsp; 02:45:05 00:05:00</FONT></P><P>I had tried similar methods like your but got wrong results.<BR /><STRONG>Fail duration</STRONG> should be calculated <FONT color="#808000">from first fail to first success</FONT>.<BR />Thus actual record count should be 3 instead of 5.<BR />Sorting may not be the root cause for my question.</P><P>It seems that if there are 2 "fail" events, "<STRONG>transaction</STRONG>" commands generates 2 overlapped records.<BR /><FONT color="#FF0000">B&nbsp; &nbsp; &nbsp; 02:20:05(fail)&nbsp; &nbsp; &nbsp;02:25:05(success)&nbsp; 00:05:00</FONT><BR /><FONT color="#FF0000">B&nbsp; &nbsp; &nbsp; 02:15:05(fail)&nbsp; &nbsp; &nbsp;02:30:05(success)&nbsp; 00:15:00</FONT><BR />Time duration of first one is included in second one.<BR />02:30:05(success) should not be considered as the end of fail event.<BR />02:25:05(success) is the correct one.</P> Tue, 14 Nov 2023 02:45:27 GMT https://community.splunk.com/t5/Splunk-Search/How-to-calculate-individual-fail-time/m-p/668491#M229332 WK 2023-11-14T02:45:27Z