topic Unable to do simple calculation of aggregate durations between 2 states by host in Splunk Search https://community.splunk.com/t5/Splunk-Search/Unable-to-do-simple-calculation-of-aggregate-durations-between-2/m-p/676299#M231320 <P>Given that per host there are 2 events logged, one indicating transition to active and one indicating transition to inactive.&nbsp; I cant figure out a query that can accurately do this per host given the following stipulations.<BR /><BR />Given the first event within the query time range, it can be assumed the host was in the opposite state prior.<BR /><BR />Only calculate transitions between the 2 states, if there are multiple same events within transitions, calculate of the time of the first occuring.<BR /><BR />Include the latest condition up until the time the search is run.<BR /><BR /><BR /><BR /><BR /></P> Thu, 01 Feb 2024 17:11:13 GMT smahoney 2024-02-01T17:11:13Z Unable to do simple calculation of aggregate durations between 2 states by host https://community.splunk.com/t5/Splunk-Search/Unable-to-do-simple-calculation-of-aggregate-durations-between-2/m-p/676299#M231320 <P>Given that per host there are 2 events logged, one indicating transition to active and one indicating transition to inactive.&nbsp; I cant figure out a query that can accurately do this per host given the following stipulations.<BR /><BR />Given the first event within the query time range, it can be assumed the host was in the opposite state prior.<BR /><BR />Only calculate transitions between the 2 states, if there are multiple same events within transitions, calculate of the time of the first occuring.<BR /><BR />Include the latest condition up until the time the search is run.<BR /><BR /><BR /><BR /><BR /></P> Thu, 01 Feb 2024 17:11:13 GMT https://community.splunk.com/t5/Splunk-Search/Unable-to-do-simple-calculation-of-aggregate-durations-between-2/m-p/676299#M231320 smahoney 2024-02-01T17:11:13Z Re: Unable to do simple calculation of aggregate durations between 2 states by host https://community.splunk.com/t5/Splunk-Search/Unable-to-do-simple-calculation-of-aggregate-durations-between-2/m-p/676378#M231337 <P>"simple" is a subjective term!</P><P>Assuming you can evaluate state based on the events as being either 0 or 1 (I have used a random number to simulate different events), then you could try something like this</P><LI-CODE lang="markup">| eval state=if(random()%5 == 0, 0, 1) | streamstats range(state) as changed count as host_event by host global=f window=2 | eval changed = if(host_event == 1, 1, changed) | where changed == 1 | streamstats range(_time) as interval last(state) as state by host global=f window=2 | appendpipe [| stats last(state) as state last(_time) as last_event by host | addinfo | eval _time=info_max_time | eval interval=_time-last_event | fields - info_* last_event]</LI-CODE> Fri, 02 Feb 2024 10:59:01 GMT https://community.splunk.com/t5/Splunk-Search/Unable-to-do-simple-calculation-of-aggregate-durations-between-2/m-p/676378#M231337 ITWhisperer 2024-02-02T10:59:01Z