it isn't so clear for me the values when the if conditions are false:
in Splunk you use the if condition in an eval command, inserting the condition to verify and the values for condition=true and condition=false:
Thank you very much for your answer! Unfortunately it is not what I am looking for. I would like to set up a monitoring to detect if the latency of the file processing is too high. I have to calculate the time from server_a to server_b and back again. Per direction and in total. I can identify the event running from server_a -> server_b -> server_a by a unique id. I calculate the duration for 3 possible event_types in my current query, but so far I can't tell if the calculated duration is valid from server_a to server_b or from server_b to server_a.
could you share a sample?
I try to interpret you need:
you have a transation identified by an ID that's the same in all events on server_a and server_b,
you want to calculate the time difference between these two servers (latency) and then the time difference from server_b to server_a,
to calculate the first you have two events with the same ID=12345 like these
2019-11-11 12:09:20 server_a 12345
2019-11-11 12:09:30 server_b 12345
so the difference is 10 seconds.
Then you have:
2019-11-11 12:09:40 server_b 12345
2019-11-11 12:09:55 server_a 12345
so the difference is 15 seconds.
You want to display these latecies, is it correct?