Hi @ITWhisperer,
Thank you for your answer.

yes, I can identify each transaction with a unique ID.
I'm already doing this. or do you mean to combine my two transactions into one?

How do you know that transaction 1 and transaction 2 are part of the same incident?

If I understand correctly, you want the time between first start (10 am) and last end (11:30 am), is that right?

If the first transaction finished at 11 am and the second one started at 12pm, both transactions taking an hour, would you want the duration to be 2 hours or 3 hours?

@ITWhisperer,
Thanks again for your reply.

well,
I identify each transaction thanks to a series of data that each transaction contains.
this is the start of my search:

index = index1
| eval ID = Service + "_" + Env + "_" + Apps + "_" + Function
| addinfo
| transaction ID startswith = (severity = 2) endswith = (severity = 0 OR severity = 1 OR severity = -1) maxevents = 4

"If I understand correctly, you want the time between first start (10 am) and last end (11:30 am), is that right?"
yes, at this time the duration of the incident for the Application is 1:30 hour.

but if
transaction 1 =
start 10:00 AM
end 11:00 AM

transaction 2 =
start 11:00 AM
end 12:00 PM

in this case the duration is equal to the sum of the duration transaction 1 + duration transaction 2
note: I have several Applications, and my ID allows me to separate transactions.

It is still not clear what ties transaction 1 to transaction 2. Suppose there was a third transaction (transaction 3) which was part of a different "incident". How would you know whether to consider the start of transaction 1 and the end of transaction 2, or the start of transaction 1 and the end of transaction 3?

Here is an example of two transactions and underlined in blue which allows me to differentiate them

index = index1
| eval IncidentID = Service + "_" + Env + "_" + Apps
| stats first(_time) as start last(_time) as end by IncidentID
| eval duration=end-start

@ITWhisperer 
it is not as easy as it may seem.
I have listed several months of events, this is not a specific case.
moreover I can index several events for the same application in a day, and it is possible that these events do not overlap and which do not follow one another.

by following your solution I get this:

while for application A for example, nothing happened between 1:00 p.m. and 2:00 p.m. and with your solution I add this time to my total incident duration

thank you very much anyway.

OK I got it - I had misread your first graphic. Yes, it is a bit more complicated.

Essentially, use streamstats to keep a running total of active processes, note when the first of an overlapping set starts and when the last of the overlapping set ends, then find the difference and add all the differences to give a total processing time

it's not you but me who explains badly

Thank a lot

that explains better than me 🙂 

That looks like you want the first message from Application A and the last message from Application A. Can an application handle more than one incident? Do you need to be able to distinguish between the incidents an application is handling? How would you do this?