I am trying to determine the length of spike to see if it goes beyond our requirements.

Here is a test of my search:

index="database" source = IIQDB:*
| fields _time, FileGrpName, source, sourcetype, database,Spaced_Used_Per, AvailSpaceMB, Value, SQL_Server_Process_CPU_Utilization,System_Idle_Process, Other_Process_CPU_Utilization,free_log_space_Perc, lag_seconds, Requests, host, server ,Task_Name, job, recent_failures, last_run, Target
| rex field=host "^(?P<hostname>[^\.]+)"
| rex field=Value "(?P<pctValue>.*)\%"
| eval TasksPaused = if(sourcetype="mssql:AGS:TaskSchP",Task_Name, null())
| search TasksPaused="*" TasksPaused="Intel-TaskSchedule-FullTextIndexRefresh" host="agsprdb1.ed.cps.intel.com"
| eval ptime=strptime(last_run,"%Y-%m-%d %H:%M:%S")
| eval TimeDiff=(now()-ptime)/60
| sort _time
| streamstats reset_on_change=true earliest(_time) as earlyTime latest(_time) as lastTime by TasksPaused
| eval duration = (lastTime - earlyTime)/60

Some of it is extra from the whole search. I am trying to narrow down the problem with this section.

Wish we could post a picture of our timeline but I will simulate it here.

                 /\                                     ---/\                                                       /--------\

--------/       \--------------------/           \-------------------------------/                   \--------------------------------------------