Using the transaction command can have unexpected behaviour, as it is constrained by memory and has limitations. The documentation for transaction suggests you use stats as an alternative https://docs.splunk.com/Documentation/Splunk/8.1.2/Search/Abouttransactions | stats range(_time) as duration by UniqueString This would give you the duration. Not sure what your dedup command is for as that would prevent the above from working and it's not clear what fields you have, but this should work. Here's a run anywhere example - all bar the last line is setting up your example data | makeresults
| eval event="210312 12:07:45.619 INFO Step1( \"UniqueString2.DAT\" )###210312 12:07:55.609 INFO Step1( \"UniqueString1.DAT\" )###210312 12:07:56.015 INFO Step2(\"M;UniqueString1\", \"A\", \"C\", \"D\", \"A\")###210312 12:07:56.609 INFO Step1( \"UniqueString3.DAT\" )###210312 12:15:27.989 INFO Step2(\"M;UniqueString2\", \"B\", \"E\", \"F\", \"B\")"
| makemv event delim="###"
| mvexpand event
| rex field=event "(?<t>\d+ \d+:\d+:\d+\.\d+) INFO (?<Command>\w+).*(?<UniqueString>UniqueString\d+)"
| eval _time=strptime(t, "%y%m%d %H:%M:%S.%Q")
| table _time Command UniqueString
| stats range(_time) as duration list(_time) as times by UniqueString
... View more
