Hi @Tondapi,

Given a search like:

index=os sourcetype="syslog d" (job_name =WHK9225 ) 
| transaction job_name job_number

You can get the end time by utilizing the duration field that gets creating via the transaction command. However, duration gives you back a number of seconds. So I personally would add the duration count to the _time field and use the eval command's function stftime() to format it to something all nice and human.

So you could add this to your search:

eval end_time = strftime(duration + _time, "%F %T")

where %F and %T are whatever time format variables you want to use.

Read more on eval functions here.

P.S. You can verify that the end_time is what it should be by adding something like:

... | table job_name job_number _time duration end_time

P.P.S.