Your original search
index=myindex ("started plan instance") OR ("successfully completed Plan")
|"all your rex to extract Job_Name,id and other fields"
|stats count,earliest(_time) as _time by id,Job_Name
|where count <2|eval duration=round((now()-_time)/3600,2)|where duration>2
Is free to catch the single events which are having the string "successfully completed" .Here I am running the query for 2 hours time range all the events which are started at before 2 hours but not completed started string in them ,will generate the completed transaction events with same id and Job_name after 15min (exactly when I started the search) .
To avoid that additionally , I had filtered the "successfully Completed" string events.
But when I increase the time range for 24 hours , I am seeing the event duration as 23 ,22,22.3.20,19,14,18...…...2 hours
... View more