Hi @Roynsky,
With your sample data represented by the following events:
2023-11-10 17:00:10 Result=YES 2023-11-10 17:00:07 Result=NO 2023-11-10 17:00:05 Result=NO 2023-11-10 17:00:00 Result=YES
and sorted by _time descending (the default event sort order), here are two options:
1.
| streamstats reset_before="("Result==\"YES\"")" max(_time) as end_time
| eval duration=end_time-_time
| stats max(duration) as duration by end_time
=>
end_time,duration 1699635600,0 1699635610,5
The delta between 17:00:05 and 17:00:10 is 5 seconds ending at 17:00:10.
2.
source="Roynsky_time_delta.txt" host="splunk" sourcetype="roynsky_time_delta"
| transaction endswith=eval(Result=="YES")
``` or | transaction endswith=Result=YES for an exact term match ```
| table _time duration
_time,duration 1699635605,5 1699635600,0
The delta between 17:00:05 and 17:00:10 is 5 seconds starting at 17:00:05.
I don't have Symantec Endpoint Protection sample data available, but if actions have correlation identifiers associated with each sequence of quarantine events, you might also use stats:
| stats range(_time) as duration by correlation_id ``` or whatever the field is called ```
... View more