Hi all, I'm hoping that someone can help / point me in the right direction.

I have two events which are being fed into Splunk, one being a raise of an event flag, the other being the removal of the event flag.

Raising

Sep 2 10:32:45 SOFTWARE CEF:0|SOFTWARE|CLIENT|42|Agent Log Event|Agent Log Event|high|id=123 shost=Management start=2022-09-02 10:32:42 cs1Label=Affected Agents cs1=[SERVERNAME] (ip: None, component_id: ID) msg='AgentMissing' status flag was raised

Removal

Sep 2 10:34:33 SOFTWARE CEF:0|SOFTWARE|CLIENT|42|Agent Log Event|Agent Log Event|high|id=123 shost=Management start=2022-09-02 10:34:33 cs1Label=Affected Agents cs1=[SERVERNAME] (ip: None, component_id: ID) msg='AgentMissing' status flag was removed

After some browsing online & through the Splunk support pages I have been able to put together the following query:

(index=[INDEX] *agentmissing*) ("msg='AgentMissing' status flag was raised" OR "msg='AgentMissing' status flag was removed")
| rex field=_raw ".*\)\s+(?<status>.*)"
| stats latest(_time) as flag_finish by connection_type
| join connection_type
[ search index=[INDEX] ("msg='AgentMissing' status flag was raised") connection_type=*
| stats min(_time) as flag_start by connection_type]
| eval difference=flag_finish-flag_start
| eval flag_start=strftime(flag_start, "%Y-%m-%d %H:%M")
| eval flag_finish=strftime(flag_finish, "%Y-%m-%d %H:%M")
| eval difference=strftime(difference,"%H:%M:%S")
| table connection_type, flag_start, flag_finish, difference
| rename connection_type as Hostname, flag_start as "Flag Raised Time", flag_finish as "Flag End Time", difference as "Total Time"
| sort - difference

The above is working, however as I am using the "stats latest" command it is only showing the latest occurrence of the event.

However, I would like to display the time between these events for multiple occurrences. So as an example of the above, it was between 7:47 & 9:31, I would also like to see flags for other time occurrences.

TIA! 🙂