index=aaa host=aaa* sourcetype=aaa_logs Command="Step1*" OR Command="Step2*" | dedup UniqueString |transaction startswith=Step1* endswith=Step2* |table date_mday UniqueString duration | sort _time Above is my search string, if I search the last 7 days, the events are the same as the last 24 hours search result, which is impossible. Last 7 days should have more records. Please help~ ... View more

I used below search but it doesn't pair the Step1 and Step2 UniqueString. index=aaa host=aaa* sourcetype=aaa_logs Command="Step1*" OR Command="Step2*" | sort by _time | dedup UniqueString |sort Date,Time, UniqueString |transaction startswith=Step1* endswith=Step2* |table UniqueString duration The result is not correct: For Step1 and Step2 that having same Date Time, they are paired correctly by the UniqueString: 210312 14:07:55.609 INFO Step1( "UniqueString7.DAT" ) 210312 14:07:55.609 INFO Step2("M;UniqueString7", "A", "C", "D", "A") However, for Step1 and Step2 that has different Date Time, they look like this: 210312 12:07:56.015 INFO Step2("M;UniqueString6", "A", "C", "D", "A") 210312 12:06:56.609 INFO Step1( "UniqueString5.DAT" ) 210312 12:05:56.015 INFO Step2("M;UniqueString5", "A", "C", "D", "A") 210312 12:04:56.609 INFO Step1( "UniqueString4.DAT" ) I think the problem is due to not every Step1 will have the corresponding Step2. Please help! Resolved the issue by removing the | sort by _time ... View more