@bestSplunker You can see a working example with your data by copying/pasting this to your search window. | makeresults
| eval data=split(replace("_time=2022-12-01T10:00:01.000Z, account_id=1, query user infomation.
_time=2022-12-01T10:00:02.000Z, account_id=2, query user infomation.
_time=2022-12-01T10:00:03.000Z, account_id=1, query user infomation.
_time=2022-12-01T10:00:07.000Z, account_id=2, query user infomation.
_time=2022-12-01T10:00:09.000Z, account_id=1, query user infomation.
_time=2022-12-01T10:00:11.000Z, account_id=2, query user infomation.
_time=2022-12-01T10:00:12.000Z, account_id=2, query user infomation.
_time=2022-12-01T10:00:13.000Z, account_id=2, query user infomation.
_time=2022-12-01T10:00:14.000Z, account_id=2, query user infomation.
_time=2022-12-01T10:00:22.000Z, account_id=2, query user infomation.
_time=2022-12-01T10:01:27.000Z, account_id=3, query user infomation.
_time=2022-12-01T10:00:27.000Z, account_id=2, query user infomation.
_time=2022-12-01T10:00:30.000Z, account_id=2, query user infomation.
_time=2022-12-01T10:00:33.000Z, account_id=2, query user infomation.
_time=2022-12-01T10:00:34.000Z, account_id=2, query user infomation.
_time=2022-12-01T10:00:36.000Z, account_id=2, query user infomation.
_time=2022-12-01T10:01:37.000Z, account_id=3, query user infomation.
_time=2022-12-01T10:01:39.000Z, account_id=1, query user infomation.
_time=2022-12-01T10:01:45.000Z, account_id=3, query user infomation.
_time=2022-12-01T10:01:47.000Z, account_id=3, query user infomation.
_time=2022-12-01T10:01:55.000Z, account_id=3, query user infomation.
_time=2022-12-01T10:01:59.000Z, account_id=3, query user infomation.", "\n", "###"), "###")
| mvexpand data
| rex field=data "_time=(?<t>\d+-\d+-\d+T\d+:\d+:\d+\.\d+Z), account_id=(?<account_id>\d+),"
| eval _time=strptime(t, "%FT%T.%QZ")
| table _time account_id
``` Above is just your example data setup ```
``` Use streamstats to calculate the event count and gap for each account ```
| streamstats c window=2 global=f range(_time) as gap by account_id
``` Remove the first event, so it doesn't get used in the gap average calculation ```
| where c=2
``` Now calculate the average and total span and gap count ```
| stats sum(gap) as span count as gap_count avg(gap) as avg_frequency by account_id
| where avg_frequency<5
... View more