https://community.splunk.com/t5/Splunk-Search/Calculate-duration-between-events/m-p/185818#M53543 <P>Hi,</P> <P>I have a log file with many events like below</P> <P>2015-01-16 10:19:12 [APP1;STORE] Activated configuration 'Prod'<BR /> 2015-01-16 11:29:13 [APP1;STORE] Activated configuration 'Test'<BR /> 2015-01-16 12:30:51 [APP1;STORE] Activated configuration 'Prod'<BR /> 2015-01-16 15:50:03 [APP1;STORE] Activated configuration 'No Data'</P> <P>Each event indicates a configuration activation. so the time difference is the time the previous config was active. </P> <P>I'm extracting these fields</P> <P><STRONG>Configuration</STRONG>: values can be Prod, Test, No Data<BR /> <STRONG>Application</STRONG>: values can be APP1,APP2</P> <P>I want to calculate how long each configuration was active in APP1</P> <P>-Sreerag</P> Fri, 16 Jan 2015 22:13:42 GMT SreeragM 2015-01-16T22:13:42Z https://community.splunk.com/t5/Splunk-Search/Calculate-duration-between-events/m-p/185818#M53543 <P>Hi,</P> <P>I have a log file with many events like below</P> <P>2015-01-16 10:19:12 [APP1;STORE] Activated configuration 'Prod'<BR /> 2015-01-16 11:29:13 [APP1;STORE] Activated configuration 'Test'<BR /> 2015-01-16 12:30:51 [APP1;STORE] Activated configuration 'Prod'<BR /> 2015-01-16 15:50:03 [APP1;STORE] Activated configuration 'No Data'</P> <P>Each event indicates a configuration activation. so the time difference is the time the previous config was active. </P> <P>I'm extracting these fields</P> <P><STRONG>Configuration</STRONG>: values can be Prod, Test, No Data<BR /> <STRONG>Application</STRONG>: values can be APP1,APP2</P> <P>I want to calculate how long each configuration was active in APP1</P> <P>-Sreerag</P> Fri, 16 Jan 2015 22:13:42 GMT https://community.splunk.com/t5/Splunk-Search/Calculate-duration-between-events/m-p/185818#M53543 SreeragM 2015-01-16T22:13:42Z https://community.splunk.com/t5/Splunk-Search/Calculate-duration-between-events/m-p/185819#M53544 <P>Does something like this work for you?</P> <PRE><CODE>config_value=prod OR config_value=Test OR config_value=No Data application=APP1 OR application=APP2 | delta _time as tdelta | stats list(tdelta) by application </CODE></PRE> Fri, 16 Jan 2015 22:23:37 GMT https://community.splunk.com/t5/Splunk-Search/Calculate-duration-between-events/m-p/185819#M53544 aljohnson_splun 2015-01-16T22:23:37Z https://community.splunk.com/t5/Splunk-Search/Calculate-duration-between-events/m-p/185820#M53545 <P>You could try this:</P> <P>yoursearchhere<BR /> | sort _time<BR /> | delta _time as Duration<BR /> | table Application Configuration Duration<BR /> | eventstats sum(Duration) as AppDuration by Application<BR /> | fieldformat Duration=tostring(Duration,"duration")<BR /> | fieldformat AppDuration=tostring(AppDuration,"duration")</P> Fri, 16 Jan 2015 22:40:33 GMT https://community.splunk.com/t5/Splunk-Search/Calculate-duration-between-events/m-p/185820#M53545 lguinn2 2015-01-16T22:40:33Z