https://community.splunk.com/t5/Splunk-Search/query-for-transactions-or-grouping-events/m-p/543472#M153936 <P>Hi Team,</P><P>I have the below logs in splunk and i'm looking for query to get the time taken to compete the run by each bot for each scheduled run(Run bot deployed is the start of the bot and Run bot finished is the end of the bot).A bot can run more than once in a day and need average run time as well.I tried using transaction command but not getting desired results.</P><P>Thanks for the help</P><P>11/03/2021 22:22:20.600 STATUS=Successful,ACTIVITY AT=2021-03-11T22:22:19Z,ACTION TYPE=Run bot finished,ITEM NAME=fin_bot<BR />11/03/2021 22:00:27.000 STATUS=Successful,ACTIVITY AT=2021-03-11T22:00:26Z,ACTION TYPE=Run bot Deployed,ITEM NAME=fin_bot<BR />11/03/2021 15:20:04.400 STATUS=Successful,ACTIVITY AT=2021-03-11T15:20:04Z,ACTION TYPE=Run bot finished,ITEM NAME=fin_bot<BR />11/03/2021 15:00:23.000 STATUS=Successful,ACTIVITY AT=2021-03-11T15:00:22Z,ACTION TYPE=Run bot Deployed,ITEM NAME=fin_bot<BR />12/03/2021 04:02:15.800 STATUS=Successful,ACTIVITY AT=2021-03-12T04:02:14Z,ACTION TYPE=Run bot finished,ITEM NAME=tax_bot<BR />12/03/2021 04:00:23.780 STATUS=Successful,ACTIVITY AT=2021-03-12T04:00:23Z,ACTION TYPE=Run bot Deployed,ITEM NAME=tax_bot</P> Fri, 12 Mar 2021 04:50:30 GMT splunk_ier 2021-03-12T04:50:30Z https://community.splunk.com/t5/Splunk-Search/query-for-transactions-or-grouping-events/m-p/543472#M153936 <P>Hi Team,</P><P>I have the below logs in splunk and i'm looking for query to get the time taken to compete the run by each bot for each scheduled run(Run bot deployed is the start of the bot and Run bot finished is the end of the bot).A bot can run more than once in a day and need average run time as well.I tried using transaction command but not getting desired results.</P><P>Thanks for the help</P><P>11/03/2021 22:22:20.600 STATUS=Successful,ACTIVITY AT=2021-03-11T22:22:19Z,ACTION TYPE=Run bot finished,ITEM NAME=fin_bot<BR />11/03/2021 22:00:27.000 STATUS=Successful,ACTIVITY AT=2021-03-11T22:00:26Z,ACTION TYPE=Run bot Deployed,ITEM NAME=fin_bot<BR />11/03/2021 15:20:04.400 STATUS=Successful,ACTIVITY AT=2021-03-11T15:20:04Z,ACTION TYPE=Run bot finished,ITEM NAME=fin_bot<BR />11/03/2021 15:00:23.000 STATUS=Successful,ACTIVITY AT=2021-03-11T15:00:22Z,ACTION TYPE=Run bot Deployed,ITEM NAME=fin_bot<BR />12/03/2021 04:02:15.800 STATUS=Successful,ACTIVITY AT=2021-03-12T04:02:14Z,ACTION TYPE=Run bot finished,ITEM NAME=tax_bot<BR />12/03/2021 04:00:23.780 STATUS=Successful,ACTIVITY AT=2021-03-12T04:00:23Z,ACTION TYPE=Run bot Deployed,ITEM NAME=tax_bot</P> Fri, 12 Mar 2021 04:50:30 GMT https://community.splunk.com/t5/Splunk-Search/query-for-transactions-or-grouping-events/m-p/543472#M153936 splunk_ier 2021-03-12T04:50:30Z https://community.splunk.com/t5/Splunk-Search/query-for-transactions-or-grouping-events/m-p/543477#M153939 <P>hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/232412">@splunk_ier</a>,<BR /><BR />Use transaction command with satrtwith and endswith options like below:</P><LI-CODE lang="markup">index=INDEX sourcetype=sourcetype | transaction startswith="Run bot Deployed" endswith="Run bot finished" | table _raw, duration, eventcount</LI-CODE><P>For calculating average of duration extract field "ITEM NAME" if it does not exist and use stats.</P><LI-CODE lang="markup">index=INDEX sourcetype=sourcetype | rex "ITEM NAME=(?&lt;ITEM_NAME&gt;[^,]+)$" | transaction startswith="Run bot Deployed" endswith="Run bot finished" | stats avg(duration) as avg_duration_sec by ITEM_NAME</LI-CODE><P>&nbsp;</P><P>If this reply helps you, an upvote/like would be appreciated.</P> Fri, 12 Mar 2021 06:31:18 GMT https://community.splunk.com/t5/Splunk-Search/query-for-transactions-or-grouping-events/m-p/543477#M153939 manjunathmeti 2021-03-12T06:31:18Z