Hi @ramana4u,

the solution from @yuanliu will surely work, but I don't like transaction command because it's a very slow command And I prefer to use transaction command only if other solutions will not work.

So please try also this solution:

index=your_index source IN (Request.log, Response.log)
| eval kind=if(source="Request.log","Request","Response")
| stats 
   dc(kind) AS kind_count 
   values(kind) AS kind 
   earliest(eval(if( kind="Request",_time,""))) AS earliest 
   latest(eval(if( kind="Request",_time,""))) AS latest 
   BY requestID 
| eval duration=latest-earliest
| where (kind_count=1 AND kind="Request") OR (kind_count=2 AND duration>1800)

In addition: use always the index in your main search, you'll have faster searches.

Ciao.

Giuseppe