Hi all, I'm hoping that someone can help / point me in the right direction. I have two events which are being fed into Splunk, one being a raise of an event flag, the other being the removal of the event flag. Raising Sep 2 10:32:45 SOFTWARE CEF:0|SOFTWARE|CLIENT|42|Agent Log Event|Agent Log Event|high|id=123 shost=Management start=2022-09-02 10:32:42 cs1Label=Affected Agents cs1=[SERVERNAME] (ip: None, component_id: ID) msg='AgentMissing' status flag was raised Removal Sep 2 10:34:33 SOFTWARE CEF:0|SOFTWARE|CLIENT|42|Agent Log Event|Agent Log Event|high|id=123 shost=Management start=2022-09-02 10:34:33 cs1Label=Affected Agents cs1=[SERVERNAME] (ip: None, component_id: ID) msg='AgentMissing' status flag was removed After some browsing online & through the Splunk support pages I have been able to put together the following query:     (index=[INDEX] *agentmissing*) ("msg='AgentMissing' status flag was raised" OR "msg='AgentMissing' status flag was removed") | rex field=_raw ".*\)\s+(?<status>.*)" | stats latest(_time) as flag_finish by connection_type | join connection_type [ search index=[INDEX] ("msg='AgentMissing' status flag was raised") connection_type=* | stats min(_time) as flag_start by connection_type] | eval difference=flag_finish-flag_start | eval flag_start=strftime(flag_start, "%Y-%m-%d %H:%M") | eval flag_finish=strftime(flag_finish, "%Y-%m-%d %H:%M") | eval difference=strftime(difference,"%H:%M:%S") | table connection_type, flag_start, flag_finish, difference | rename connection_type as Hostname, flag_start as "Flag Raised Time", flag_finish as "Flag End Time", difference as "Total Time" | sort - difference     The above is working, however as I am using the "stats latest" command it is only showing the latest occurrence of the event. However, I would like to display the time between these events for multiple occurrences. So as an example of the above, it was between 7:47 & 9:31, I would also like to see flags for other time occurrences. TIA! 🙂 ... View more