Hello,

I have someone with logs looking a bit like this:
QuoA, started
QuoB, started
QuoC, started
QuoB, ended
QuoC, ended
QuoA, cancelled

The goal is to gather statistics such as the average duration for each "QuoX". Then, everytime the script generating those logs runs, we can compare the duration with the average. Our current solution is to calculate the average say once a week and store it in a lookup file. Then, everyday we can compare the duration with the average.

Our search is:

sourcetype="Log_schedule"
| transaction schedule startswith=eval(state="started") endswith=eval(in(state,"ended","cancelled")) keeporphans=true mvlist="state" 
| eval last_state=mvindex(state,-1) 
| where last_state="ended" 
| lookup avg_duration_log.csv schedule OUTPUT avg_duration
| stats count as number first(avg_duration) latest(duration) as last_duration by schedule

Our issue is this: if there are orphans in the logs, the search won't complete and crash. If i run on a subset of logs with no "cancelled", it works fine. I figured to use "keeporphans=false" and that works well. However, I'm sure we're doing something wrong/bad. Is there any specific reasons why orphans would crash the search? Is there a much easier way to do this that we simply didn't think about?

Thank you!