I don't know why you assume that there needs to be a transaction. And you keep misunderstanding the question. There are no separate types of events to detect. As I wrote earlier, let's assume you have a sequence of login events: Day ,User 1,user1 2,user1 13,user2 14,user3 27,user1 40,user1 51,user2 54,user3 72,user2 82,user3 101,user2 110,user3 140,user1 The original poster's question was how to detect events like user1's login at day 140 (since previous login was over 90 ays earlier). Your transaction-based solution won't do: | makeresults | eval _raw="Day,User 1,user1 2,user1 13,user2 14,user3 27,user1 40,user1 51,user2 54,user3 72,user2 82,user3 101,user2 110,user3 140,user1" | multikv noheader=f | fields Day User | transaction User maxevents=2 | table Day User It results with: Day,User "1 2",user1 "13 51",user2 "14 54",user3 "27 40",user1 140,user1 "110 82",user3 "101 72",user2 As you can see, we miss the user1's login at day 140 completely. Transaction won't do because it just measures separate non-overlapping periods whereas we need a sliding window.
... View more