I got around to looking further into this today and works as advertised...

Here is what I ended up with, still need to do a little date formatting but the content is 100%.

index=anIndex sourcetype=aSourceType aJobName ("START of script" OR "COMPLETED OK") earliest=-7d@d

| rex "(?<event_name>(START of script)|(COMPLETED OK))"

| eval event_name=CASE(event_name="START of script", "script_start", event_name="COMPLETED OK", "script_complete")

| eval event_time=strftime(_time, "%Y-%m-%d %H:%M:%S")

| eval aSortTime=_time

| eval {event_name}_time=_time

| transaction host job_name startswith=(event_name="script_start") endswith=(event_name="script_complete")

| eval "Job Name"="Fake Job Name"

| eval "Host Name"=if (host="HOST1", "Host1-Name", "Host2-Name")

| eval "Start Date/Time"=strftime(script_start_time, "%Y-%m-%d %H:%M:%S")

| eval "Stop Date/Time"=strftime(script_complete_time, "%Y-%m-%d %H:%M:%S")

| eval "Day Of Week"=strftime(script_complete_time, "%A")

| eval "Duration"=tostring(duration, "duration")

| sort aSortTime

| table "Host Name", "Day Of Week", "Job Name", "Start Date/Time", "Stop Date/Time", , "Duration"

Interesting, I ran your SPL with the real index, sourcetype, jobname, etc... and got what appears to be some pretty good results.

I will need to go back and verify the data from your SPL and my SPL, check conversions to CDT, etc... and then try to understand what exactly its doing since I am somewhat new to Splunk and have never worked with transactions before today.

It will take some time to go through validation, etc..  and am still hoping there is a simple one line addition / change to my original SPL to get the latest start time for the one row that is causing me issues.

I tried this and it looks like its taking the last raw time for every row, not just the one with two ?

index=anIndex sourcetype=aSourceType aJobName ("START of script" OR "COMPLETED OK")

| eval startTimeRaw = if (match(_raw, "START of script"), _time, null())

| eval endTimeRaw = if (match(_raw, "COMPLETED OK"), _time, null())

| eventstats last(startTimeRaw) AS startTimeRaw

To get the max value from a multi-value field, install the mvstats app (https://splunkbase.splunk.com/app/5198) and use

| mvstats max startTimeRaw as startTime

Is it possible to get the value or startTimeRaw using an index ?

My thinking is set the index to 0 and then if there are more than 1 value in startTimeRaw set the index to 1 instead of 0, then get the value of startTimeRaw at that index.

Original SPL:

| stats range(_time) as duration values(startTimeRaw) as startTimeRaw values(endTimeRaw) as endTimeRaw by eventDate, host

Pseudo Code:

| eval anIndex =0

Then check the # of values in startTimeRaw and if > 0 set anIndex to the value of startTimeRaw at the last values index. ( | eval startTimeRawUsingIndex = startTimeRaw @ anIndex)

| stats range(_time) as duration values(startTimeRawUsingIndex) as startTimeRaw values(endTimeRaw) as endTimeRaw by eventDate, host

Did the transaction search from @johnhuang not provide you what you needed? Looking at that search, it should give you what you need (assuming that two jobs will never overlap each other, even if one of them starts late).

If that transaction search is not what you need, can you explain why it did not work, so that we can get a better idea of what you are trying to achieve?

I am waiting for some new log files (sourcetypes) to be added to my Splunk index. They should be available next week and will look at implementing the solution provided by  @johnhua.

Since I am somewhat new to Splunk it will take me some time to understand what it is doing and then add / change the SPL to fit the formating on the output.

In the meantime I am looking for a solution to my existing SPL, if there is one...

I checked and for my Splunk environment mvstats is not a valid command.  I have reached out to my Splunk sys admin to see if it can be added.

In the meantime anything else you can think of that I can try ?