Hello,

We are new to Splunk , learning and working customer requirments.

You are requested to help on merging these two queries in order to to use Start Time and End Time
from Event 1 in JMS Queue pending messages count > 0 after startTime and < 0 after endTime as Publisher and Subscribers are two seperate Java Applications in PCF:

Search - 1
==========
cf_org_name="####" cf_app_name="APP1" sourcetype="cf:logmessage" OR source = "XXXXX.EMS.STAT.QUEUES.SPLUNK.0.2021022312"
| fields msg.message msg.timestamp
| spath
| rename msg.message as message
| rename msg.timestamp as timestamp
| search message = "*Start of scheduler job cron:*" OR "*End of scheduler job executed in*"
| eval startMessage=case( match(message, "Start of scheduler job cron:"), message)
| eval endMessage=case(match(message, "End of scheduler job executed in"), message)
| rex field=startMessage "[^\#]+\#(?<schedulerJobStartTime>.*)"
| rex field=endMessage "[^\#]+\#(?<schedulerJobEndTime>.*)"
| stats max(schedulerJobStartTime) as latestJobStartTime max(schedulerJobEndTime) as latestJobEndTime
| eval latestJobStartTimeExpanded=strftime(latestJobStartTime/pow(10,3),"%Y-%m-%dT%H:%M:%S.%Q")
| eval latestJobEndTimeExpanded=strftime(latestJobEndTime/pow(10,3),"%Y-%m-%dT%H:%M:%S.%Q")
| eval duration=((latestJobEndTime - latestJobStartTime)/1000)/60/60
| spath output=pendingMessageCount path=queues{0}.pendingMessageCount
| spath output=msgTimeStampField path=key{0}.msgTimeStamp

Search - 2
==========
sourcetype=fedex:jms:queues| spath "queues.name" | search "queues.name"="XXXXPLAN.QNX"
| spath output=pendingMessageCount path=queues{0}.pendingMessageCount
| spath output=msgTimeStampField path=key{0}.msgTimeStamp
| search pendingMessageCount = "0"
| eval msgTimeStampFieldExpanded=strftime(msgTimeStampField/pow(10,3),"%Y-%m-%dT%H:%M:%S.%Q")
| stats min(msgTimeStampFieldExpanded) as msgTimeStampFieldExpandedMin max(msgTimeStampFieldExpanded) as msgTimeStampFieldExpandedMax

Regards,

Bojja