Hi, I have the following SPL working fine when I have a starting event and ending event in my logs.

If I have a starting event but no ending event I get no results and would like to show at least starting event info but am having some troubles.

Is there a way to fake out the ending event to be the starting event just to get some data ?

Or are there any other approaches that might make this work ?

index=anIndex sourcetype=aSourceType (aString1 AND "START of script") OR (aString2 AND "COMPLETED") earliest=@d latest=now

| rex "(?<event_name>(START of script)|(COMPLETED OK))"
| eval event_name=CASE(event_name="START of script", "script_start", event_name="COMPLETED OK", "script_complete")
| eval event_time=strftime(_time, "%Y-%m-%d %H:%M:%S")
| eval {event_name}_time=_time
| transaction host job_name startswith=(event_name="script_start") endswith=(event_name="script_complete")
| eval aTime1= _time - (strptime(strftime(_time,"%Y-%m-%dT%H:%M:%S.%3N")." CDT","%Y-%m-%dT%H:%M:%S.%N%Z") - _time)
| eval eventStartTimeCDT=strftime(aTime1, "%H:%M:%S %p")
| eval endTime = _time + duration
| eval eventEndTimeCDT=strftime(endTime, "%H:%M:%S %p")
| eval dayNumber = strftime(endTime, "%w")

| eval "Start / End Job's"="aString1 / aString2"
| eval "Host Name"=if (host="aHostName1", "aHostName1", "aHostName2")
| eval "Duration"=tostring(duration, "duration")
| eval "Day" = strftime(endTime, "%a. %b. %e, %Y")
| eval "Start Time"=eventStartTimeCDT
| eval "End Time"=eventEndTimeCDT
| eval "Due By Time" = if (dayNumber == 0, "02:00 PM", "07:00 AM")

| table "Host Name", "Day", "Start / End Job's", "Start Time", "End Time", "Due By Time", "Duration"