https://community.splunk.com/t5/Splunk-Search/Display-multiple-event-duration-as-columns-with-sequence-number/m-p/164539#M46715 <P>Let me just express my appreciation for your question. I love Splunk and sometimes challenging questions like this highlight the flexibility of the Search Processing Language (SPL). </P> <P>In this case we have taken your data set and modified the time stamps to ensure some things are clear. Most notably, the date in seconds has been modified to point out the following:</P> <UL> <LI>Total transaction time is 15 seconds</LI> <LI>Step A1 takes one (1) second </LI> <LI>Step A2 takes two (2) seconds </LI> <LI>Step A3 takes three (3) second </LI> <LI>Step B1 takes one (1) second </LI> <LI><P>Step B2 takes two (2) seconds</P> <P>20150421 10:20:10 Step=stepStart, Tid=1234<BR /> 20150421 10:20:11 Step=stepAStart, Tid=1234<BR /> 20150421 10:20:12 Step=stepAEnd, Tid=1234<BR /> 20150421 10:20:13 Step=stepBStart, Tid=1234<BR /> 20150421 10:20:14 Step=stepBEnd, Tid=1234<BR /> 20150421 10:20:15 Step=stepAStart, Tid=1234<BR /> 20150421 10:20:17 Step=stepAEnd, Tid=1234<BR /> 20150421 10:20:18 Step=stepBStart, Tid=1234<BR /> 20150421 10:20:20 Step=stepBEnd, Tid=1234<BR /> 20150421 10:20:21 Step=stepAStart, Tid=1234<BR /> 20150421 10:20:24 Step=stepAEnd, Tid=1234<BR /> 20150421 10:20:25 Step=stepEnd, Tid=1234<BR /> Once we indexed the data, we used an in-line regular expression to obtain the type of the Step being taken.</P> <PRE><CODE>sourcetype="answers-1429817656" </CODE></PRE> <P>| rex "Step=(?<STEPA>step[A])(?:Start|End)"<BR /> | rex "Step=(?<STEPB>step[B])(?:Start|End)"<BR /> We then captured each transaction. Because the steps are sequential we used <CODE>reverse</CODE> to reflect human ordering. We also assigned an ascending id using <CODE>accum</CODE> to keep them in check for later.</STEPB></STEPA></P> <P>| transaction startswith="*Start" endswith="*End" <BR /> | reverse <BR /> | eval id=1 | accum id <BR /> If you are trying this, at this point, you should see something like this:</P></LI> </UL> <P><IMG src="https://community.splunk.com/storage/temp/34830-answers-1429817656-1.png" alt="alt text" /></P> <HR /> <P>From this point we manipulated the data to reflect your desired format. Firstly we reduced the data set to reflect the necessary fields in a nice table. Secondly we calculated the value for each step type and assign a variable. Here is that recipe:</P> <PRE><CODE>| stats list(duration) AS duration list(StepA) AS StepA list(StepB) AS StepB list(Step) AS Step by Tid id | eval ida=if(isnotnull(StepA),1,null()) | accum ida | eval idb=if(isnotnull(StepB),1,null()) | accum idb | eval Step=if(isnotnull(StepA),StepA.ida,if(isnotnull(StepB),StepB.idb,Step)) </CODE></PRE> <P>We were then inspired to <STRONG>(╯°□°）╯︵ ┻━┻</STRONG></P> <PRE><CODE>| xyseries Tid Step duration </CODE></PRE> <P>This should provide you the following results:</P> <P><IMG src="https://community.splunk.com/storage/temp/34831-answers-1429817656-2.png" alt="alt text" /></P> <P>I hope this helps you,</P> <P>--gc</P> Mon, 28 Sep 2020 19:37:10 GMT Gilberto_Castil 2020-09-28T19:37:10Z https://community.splunk.com/t5/Splunk-Search/Display-multiple-event-duration-as-columns-with-sequence-number/m-p/164538#M46714 <H2>I'm trying to calculate duration of stepAStart to stepAEnd and display them as columns with sequence number (eg StepA1, StepA2 ...). There is no steps between StepAStart and StepAEnd and the event pair may occur multiple times. The same for StepBStart and StepBEnd.</H2> <P>20150421 10:20:10 Step=stepStart, Tid=1234<BR /> 20150421 10:20:11 Step=stepAStart, Tid=1234<BR /> 20150421 10:20:12 Step=stepAEnd, Tid=1234<BR /> 20150421 10:20:13 Step=stepBStart, Tid=1234<BR /> 20150421 10:20:14 Step=stepBEnd, Tid=1234<BR /> 20150421 10:20:15 Step=stepAStart, Tid=1234<BR /> 20150421 10:20:16 Step=stepAEnd, Tid=1234<BR /> 20150421 10:20:17 Step=stepBStart, Tid=1234<BR /> 20150421 10:20:18 Step=stepBEnd, Tid=1234<BR /> 20150421 10:20:19 Step=stepAStart, Tid=1234<BR /> 20150421 10:20:20 Step=stepAEnd, Tid=1234<BR /> 20150421 10:20:21 Step=stepEnd, Tid=1234</P> <H2>The result should be</H2> <P>Tid StepStartEndDuration StepA1 StepA2 StepA3 StepB1 StepB2 </P> <H2>1234 11 1 1 1 1 1</H2> <P>I tried the following but it returned multiple rows. How do I pivot the result? </P> <P>source="<EM>PerfMetrics</EM>" <BR /> |sort _time<BR /> |delta _time as StepTime p=1<BR /> |eval StepATime = if(Step="stepAEnd",StepTime,0)<BR /> |eval StepBTime = if(Step="stepBEnd",StepTime,0)<BR /> |transaction TId<BR /> |eval StepStartEndDuration = duration <BR /> |table StepStartEndDuration, StepATime, StepBTime</P> Thu, 23 Apr 2015 18:11:05 GMT https://community.splunk.com/t5/Splunk-Search/Display-multiple-event-duration-as-columns-with-sequence-number/m-p/164538#M46714 CatherineLiu007 2015-04-23T18:11:05Z https://community.splunk.com/t5/Splunk-Search/Display-multiple-event-duration-as-columns-with-sequence-number/m-p/164539#M46715 <P>Let me just express my appreciation for your question. I love Splunk and sometimes challenging questions like this highlight the flexibility of the Search Processing Language (SPL). </P> <P>In this case we have taken your data set and modified the time stamps to ensure some things are clear. Most notably, the date in seconds has been modified to point out the following:</P> <UL> <LI>Total transaction time is 15 seconds</LI> <LI>Step A1 takes one (1) second </LI> <LI>Step A2 takes two (2) seconds </LI> <LI>Step A3 takes three (3) second </LI> <LI>Step B1 takes one (1) second </LI> <LI><P>Step B2 takes two (2) seconds</P> <P>20150421 10:20:10 Step=stepStart, Tid=1234<BR /> 20150421 10:20:11 Step=stepAStart, Tid=1234<BR /> 20150421 10:20:12 Step=stepAEnd, Tid=1234<BR /> 20150421 10:20:13 Step=stepBStart, Tid=1234<BR /> 20150421 10:20:14 Step=stepBEnd, Tid=1234<BR /> 20150421 10:20:15 Step=stepAStart, Tid=1234<BR /> 20150421 10:20:17 Step=stepAEnd, Tid=1234<BR /> 20150421 10:20:18 Step=stepBStart, Tid=1234<BR /> 20150421 10:20:20 Step=stepBEnd, Tid=1234<BR /> 20150421 10:20:21 Step=stepAStart, Tid=1234<BR /> 20150421 10:20:24 Step=stepAEnd, Tid=1234<BR /> 20150421 10:20:25 Step=stepEnd, Tid=1234<BR /> Once we indexed the data, we used an in-line regular expression to obtain the type of the Step being taken.</P> <PRE><CODE>sourcetype="answers-1429817656" </CODE></PRE> <P>| rex "Step=(?<STEPA>step[A])(?:Start|End)"<BR /> | rex "Step=(?<STEPB>step[B])(?:Start|End)"<BR /> We then captured each transaction. Because the steps are sequential we used <CODE>reverse</CODE> to reflect human ordering. We also assigned an ascending id using <CODE>accum</CODE> to keep them in check for later.</STEPB></STEPA></P> <P>| transaction startswith="*Start" endswith="*End" <BR /> | reverse <BR /> | eval id=1 | accum id <BR /> If you are trying this, at this point, you should see something like this:</P></LI> </UL> <P><IMG src="https://community.splunk.com/storage/temp/34830-answers-1429817656-1.png" alt="alt text" /></P> <HR /> <P>From this point we manipulated the data to reflect your desired format. Firstly we reduced the data set to reflect the necessary fields in a nice table. Secondly we calculated the value for each step type and assign a variable. Here is that recipe:</P> <PRE><CODE>| stats list(duration) AS duration list(StepA) AS StepA list(StepB) AS StepB list(Step) AS Step by Tid id | eval ida=if(isnotnull(StepA),1,null()) | accum ida | eval idb=if(isnotnull(StepB),1,null()) | accum idb | eval Step=if(isnotnull(StepA),StepA.ida,if(isnotnull(StepB),StepB.idb,Step)) </CODE></PRE> <P>We were then inspired to <STRONG>(╯°□°）╯︵ ┻━┻</STRONG></P> <PRE><CODE>| xyseries Tid Step duration </CODE></PRE> <P>This should provide you the following results:</P> <P><IMG src="https://community.splunk.com/storage/temp/34831-answers-1429817656-2.png" alt="alt text" /></P> <P>I hope this helps you,</P> <P>--gc</P> Mon, 28 Sep 2020 19:37:10 GMT https://community.splunk.com/t5/Splunk-Search/Display-multiple-event-duration-as-columns-with-sequence-number/m-p/164539#M46715 Gilberto_Castil 2020-09-28T19:37:10Z https://community.splunk.com/t5/Splunk-Search/Display-multiple-event-duration-as-columns-with-sequence-number/m-p/164540#M46716 <P>Thank you so much Gilberto. You have been great help. I'm really amazed what Splunk can do. I'm interested to learn more. Another question - when I have more than 10 occurrences of stepAs or stepBs I got column sequence as below<BR /> Tid, StepB1, StepB10, StepB11, StepB2, ..., StepB9, Step (for StepStart/StepEnd), StepA1, StepA10, Step2,...,Step9. <BR /> I added a sort before the last statement and that did not help. Is there a way to display the columns like<BR /> Tid, Step (for StepStart/StepEnd), StepA01, ...StepA11, StepB01, ..., StepB11</P> Fri, 24 Apr 2015 19:58:19 GMT https://community.splunk.com/t5/Splunk-Search/Display-multiple-event-duration-as-columns-with-sequence-number/m-p/164540#M46716 CatherineLiu007 2015-04-24T19:58:19Z https://community.splunk.com/t5/Splunk-Search/Display-multiple-event-duration-as-columns-with-sequence-number/m-p/164541#M46717 <P>The horizontal display of fields is governed by an alpha-numeric ordering. I would expect to see </P> <PRE><CODE>Tid, StepA1, StepA2 ... StepA11, StepB1 ... StepB9, StepStart StepEnd </CODE></PRE> <P>If you reassign the field value prior to the <CODE>xyseries</CODE> piece, then you can get it done. Like this:</P> <PRE><CODE>| eval Step=if(isnotnull(StepA),StepA.ida,if(isnotnull(StepB),StepB.idb,Step)) | eval Step=if(Step=="stepEnd","StepStart/StepEnd",Step) | xyseries Tid Step duration </CODE></PRE> Fri, 24 Apr 2015 21:05:43 GMT https://community.splunk.com/t5/Splunk-Search/Display-multiple-event-duration-as-columns-with-sequence-number/m-p/164541#M46717 Gilberto_Castil 2015-04-24T21:05:43Z