Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to get stats from different events?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to get stats from different events?
How do i get different events names and same reference ID stat time from one event and end time from one event and average for total time for span of time?
eventName 505 (startTime) - ----507 with PROCESSED status(endtime) . total avarage time
=================================================================
Index= caudit eventName=505
|search "EventStreamData.args.verificationId"="8387be8f"
|EventStreamData.requestContext.eventStartTime=*
Index= caudit eventName=507
|search "EventStreamData.args.verificationId"="8387be8f"
|EventStreamData.response.verificationStatus"=PROCESSED
|EventStreamData.requestContext.eventEndTime=*
the result will be :
start time. End time . average time
12:00: 00 12.00: 30 . .000000xxx
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Like this:
index= caudit AND (eventName=505 OR eventName=507)
| streamstats count(eval("EventStreamData.response.verificationStatus"=PROCESSED)) AS sessionID BY EventStreamData.args.verificationId
| stats min(_time) AS start_time max(_time) AS end_time range(_time) AS duration BY EventStreamData.args.verificationId sessionID
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The query won't work for me
Here my business modal starts, eventName=505 reference ID will create here from 505 "EventStreamData start time " and with the same reference ID some of the requests only going through eventName=507, here(507) verification status=PROCESSED then "EventStreamData end time " end time from here
both starting times to end time average Time needs to be displayed
Index= caudit eventName=505
|search "EventStreamData.args.verificationId"="8387be8f"
|EventStreamData.requestContext.eventStartTime=*
Index= caudit eventName=507
|search "EventStreamData.args.verificationId"="8387be8f"
|EventStreamData.response.verificationStatus"=PROCESSED
|EventStreamData.requestContext.eventEndTime=*
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I gave you enough for you to craft a complete solution. I cannot help you because you are mixing and matching things that do not make sense. You cannot really have a start, end, and average time. You need to be more clear about your example. In any case, I think if you really think about my answer, it has everything that you need to do anything that you might like to do.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
