Hi @Crabbok  You shouldnt need to specify a hard-coded list of users, that was just me creating some test data. Assuming the Message field is available to run the regex you should just be able to do: | rex field=Message "has (?<action>[a-zA-Z]+) the event session" | eval {action}_time=_time | sort UserXXID | streamstats count as userEventNum min(joined_time) as session_joined_time, max(left_time) as session_left_time by UserXXID reset_after="action=\"left\"" | eval action_time=strptime(_time, "%Y-%m-%d %H:%M:%S") | stats range(action_time) as sessionDurationSeconds, values(action) as actions, max(_time) as session_left_time by UserXXID session_joined_time  If UserXXID is not a field then you can use rex to get this too. If you want to stick to using transactions, try adding *keepevicted=true* to your transaction command as I think this might keep the non-completed transaction events.  See https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/Transaction#:~:text=Syntax%3A%20keepevicted%3D%3Cbool%3E 🌟 Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing ... View more