I have two specific messages in splunk data that I'm searching for per user.
Example:
index="document" (message="inactive" OR message="active")
Not sure how to work out the time between those two messages based on the timestamp per user ?
Perhaps this will help.
index="document" (message="inactive" OR message="active")
```Create a new field called "duration" that the difference between the last value of _time and the current value```
| streamstats window=2 range(_time) as duration by user
```Show only the active users with duration greater than 5 minutes (300 seconds)```
| where (message="inactive" AND duration>300)