If this log file is in Splunk, you could try:
search_foo | transaction host startswith="Start" endswith="Stop"
The resulting "duration" field will tell you how long it took.
http://www.splunk.com/base/Documentation/5.0/SearchReference/Transaction
If this log file is in Splunk, you could try:
search_foo | transaction host startswith="Start" endswith="Stop"
The resulting "duration" field will tell you how long it took.
http://www.splunk.com/base/Documentation/5.0/SearchReference/Transaction
If the answer solved your problem, please click the check box to the left to "accept" the answer.
Thanks for prompt response. I was able to get desire result.
Those events are in a log file. I would like to get 30 min as answer or list of those time period if there are multiple Start/Stop (matching first to first)
Are you trying to parse this from events returned from a search? Where are you getting these times from?