Can there only ever be a single transaction submitted at any time, so you could not have transaction submitted (1) transaction in-progress (1) transaction submitted (2) transaction in-progress (2) transaction completed (2) transaction completed (1) another issue is how do you want to handle a transaction that starts inside your 30 minute window but has not yet finished, so has no log2 or log3? you can do something simple like this <your search>
sum(eval(if(match(type,"transaction submitted"), 1, 0))) as Submitted
sum(eval(if(match(type,"transaction in-progress"), 1, 0))) as InProgress
sum(eval(if(match(type,"transaction completed"), 1, 0))) as Completed
| where !(Submitted=InProgress AND Submitted=Completed)
where the field 'type' contains your log type. Or you can use the 'transaction' command with | transaction startswith="submitted" endswith="completed" keeporphans=t
| where _txn_orphan=1 OR eventcount<3 and this will return only those transactions that do not have submitted/completed and also do not have 3 events in total. Note that using transaction is not the best approach, as you need to consider your data size, duration of a typical transaction and other things that may affect memory usage, as you can see random results if memory becomes an issue.
... View more