https://community.splunk.com/t5/Splunk-Search/Report-on-timestamps-for-two-different-Eventtypes-in-the-same/m-p/143546#M39887 <P>I have two successful searches that I want to combine into one. Ideally, I'm trying to see for each segmentNo, what the process start time and process end time is, as well as duration. Both of the times are to be extracted from the timestamps for those events.</P> <P>With the two searches below, I can create two independent tables which give me information on three columns: segmentNo, host and (start/end)time. </P> <PRE><CODE>eventtype="processingstart" devID="XA123" segmentNo="*" |eval startTime=strftime(_time,"%Y-%m-%d %H:%M:%S")| dedup segmentNo |table host segmentNo startTime </CODE></PRE> <P>AND</P> <PRE><CODE>eventtype="processingend" devID="XA123" segmentNo="*" |eval endTime=strftime(_time,"%Y-%m-%d %H:%M:%S")| dedup segmentNo |table host segmentNo endTime </CODE></PRE> <P>I tried using append and join (w/ combinations of search AND search NOT) but they would not let me search by eventtype. I basically want Splunk to understand that the startTime comes from the timestamp of eventtype1 and endTime comes from the timestamp of eventtype 2. If I take a long approach, I can export tables from both these searches independently and combine them in Excel or something. But I'm looking for one single table from Splunk that will report a table on these fields: segmentNo, host, startTime, endTime, duration</P> <P>Any help would be appreciated <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Thu, 12 Feb 2015 22:38:50 GMT aramakrishnan 2015-02-12T22:38:50Z https://community.splunk.com/t5/Splunk-Search/Report-on-timestamps-for-two-different-Eventtypes-in-the-same/m-p/143546#M39887 <P>I have two successful searches that I want to combine into one. Ideally, I'm trying to see for each segmentNo, what the process start time and process end time is, as well as duration. Both of the times are to be extracted from the timestamps for those events.</P> <P>With the two searches below, I can create two independent tables which give me information on three columns: segmentNo, host and (start/end)time. </P> <PRE><CODE>eventtype="processingstart" devID="XA123" segmentNo="*" |eval startTime=strftime(_time,"%Y-%m-%d %H:%M:%S")| dedup segmentNo |table host segmentNo startTime </CODE></PRE> <P>AND</P> <PRE><CODE>eventtype="processingend" devID="XA123" segmentNo="*" |eval endTime=strftime(_time,"%Y-%m-%d %H:%M:%S")| dedup segmentNo |table host segmentNo endTime </CODE></PRE> <P>I tried using append and join (w/ combinations of search AND search NOT) but they would not let me search by eventtype. I basically want Splunk to understand that the startTime comes from the timestamp of eventtype1 and endTime comes from the timestamp of eventtype 2. If I take a long approach, I can export tables from both these searches independently and combine them in Excel or something. But I'm looking for one single table from Splunk that will report a table on these fields: segmentNo, host, startTime, endTime, duration</P> <P>Any help would be appreciated <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Thu, 12 Feb 2015 22:38:50 GMT https://community.splunk.com/t5/Splunk-Search/Report-on-timestamps-for-two-different-Eventtypes-in-the-same/m-p/143546#M39887 aramakrishnan 2015-02-12T22:38:50Z https://community.splunk.com/t5/Splunk-Search/Report-on-timestamps-for-two-different-Eventtypes-in-the-same/m-p/143547#M39888 <P>Have you tried <A href="http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Join">Join</A></P> <PRE><CODE> eventtype="processingstart" devID="XA123" segmentNo="*" |eval startTime=strftime(_time,"%Y-%m-%d %H:%M:%S")| dedup segmentNo |table host segmentNo startTime| join segmentNo [search eventtype="processingend" devID="XA123" segmentNo="*" |eval endTime=strftime(_time,"%Y-%m-%d %H:%M:%S")| dedup segmentNo |table host segmentNo endTime] </CODE></PRE> <P>should give you the result you are looking for.</P> Fri, 13 Feb 2015 01:08:38 GMT https://community.splunk.com/t5/Splunk-Search/Report-on-timestamps-for-two-different-Eventtypes-in-the-same/m-p/143547#M39888 ramdaspr 2015-02-13T01:08:38Z