Hi @zapping575 I would generally avoid transaction where possible and try and use stats for this instead, you might find something like this works (it might need tweaking slightly) because I dont have data to test with but tried using the sample events provided: | makeresults count=2 | streamstats count | eval _raw=IF(count==1, "2020-2-20T11:11:11 host1 component1 ... to FAIL ...", "2020-2-20T11:11:55 host1 component 1... from FAIL to ..."), host="host1", component="component1", _time=strptime(_raw,"%FT%H:%M:%S")
```index=your_index ("to FAIL" OR "from FAIL") ```
| eval event_type=case(
LIKE(_raw,"%to FAIL%"), "start",
LIKE(_raw,"%from FAIL%"), "end"
)
| stats earliest(_time) as first_time latest(_time) as last_time values(_raw) as raw_events by host, component, event_type
| eval first_time_fmt=strftime(first_time, "%Y-%m-%d %H:%M:%S"), last_time_fmt=strftime(last_time, "%Y-%m-%d %H:%M:%S")
| stats values(eval(if(event_type="start", first_time, null()))) as start_time
values(eval(if(event_type="end", first_time, null()))) as end_time
values(raw_events) as all_raw
by host, component
| eval diff=abs(start_time - end_time)
| where diff > 30
| eval start_time=strftime(start_time, "%Y-%m-%d %H:%M:%S"), end_time=strftime(end_time, "%Y-%m-%d %H:%M:%S")
| table host, component, start_time, end_time, diff, all_raw 🌟 Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
... View more
