So i'm looking to find users that are going from Building A --> to Building B..
Problem is the transaction is showing dual events in the one column.... and multiple events i literally only want the one event showing the time left in Building A to the time first seen in Building B... .
The another use case, the time left from Building A to go to Building B and total duration of the stay
sourcetype=private User=$user is here as example$
| rename map_info as "Map_Location"
| rename last_located_time as "Time user was last seen"
| streamstats window=2 current=t earliest("Time user was last seen") AS first latest("Time user was last seen") AS last
| transaction from User maxevents=2 startswith="A" endswith="B" maxspan=3h
| eval endtime = "Time user was last seen" + duration
| eval endtime=strftime("Time user was last seen", "%H:%M:%S-%D/%M/%Y")
| eval time=tostring(duration,"duration")
| fields - duration,endtime,location,split
| table User,"Map_Location","Time user was last seen",macAddress,first,last,time
| rename first as "Last seen @ Building A"
| rename last as "Last seen @ Building B"
| sort - time first last "Time user was last seen"
... View more