I'm having some trouble coming up with the SPL for the following situation: I have some series of events with a timestamp. These events have a field extracted with a value of either "YES" or "NO". When sorted by _time we end up with a list like the following: _time Result time1 YES time2 NO time3 NO time4 YES I'd like to count the duration between the "NO" values and the next "YES" value. So in this case we'd have a duration equal to time4 - time2. index=* sourcetype=*mantec* "Computer name" = raspberry_pi06 "Risk name" = WS.Reputation.1
| sort _time
| eval removed = if('Actual action' == "Quarantined", "YES", "NO")
| streamstats reset_before="("removed==\"YES\"")" last(_time) as lastTime first(_time) as firstTime count BY removed
| eval duration = round((lastTime - firstTime)/60,0)
| table removed duration count _time I've tried to lean on streamstats but the result is resetting the count at the last "NO" and doesn't count the time of the next "YES". We end up with a duration equal to time3 - time2. Also in the case of a single "NO" followed by a "YES" we get a duration of 0 which is also incorrect. I feel like I'm missing something extremely obvious.
... View more