Why did you specified maxspan=180s for the transaction if your goal is to look for events longer than 15 minutes? | transaction ThreadId host maxspan=180s startswith=(LogMessage=start) endswith=(LogMessage=end) You dropped the field ThreadId and Host from the subsequent grouping using stats. Was this intentional? | stats earliest(_time) as "first", latest(_time) as "last", count by Type, CompleteDescription Expanding on the @gcusello's solution, we can make a simple adjustment to give you a similar output as your original query. | stats range(_time) AS duration_secs earliest(_time) as "first" latest(_time) as "last" count by values(CompleteDescription) AS CompleteDescription values(Type) AS Type BY ThreadId host You can move one of your filter up to improve efficiency | where duration_secs>=1800 index=log sourcetype=servlog
| stats range(_time) AS duration_secs earliest(_time) as "first" latest(_time) as "last" count by values(CompleteDescription) AS CompleteDescription values(Type) AS Type BY ThreadId host
| where duration_secs>=1800
| eventstats sum(count) as count_full by Type, CompleteDescription
| eventstats sum(count_full) as total by Type
| eval percentage = round((count_full/total)*100,0)
| eval time_diff = round((last - first)/60, 0)
| eval CompleteDescription=upper(CompleteDescription)
| search Type!=SSL (CompleteDescription = "MISSING RESPONSE" OR CompleteDescription = "TIMEOUT" OR CompleteDescription = "TECHNICAL ERROR" OR CompleteDescription = "INTERNAL SYSTEM ERROR" OR CompleteDescription = "NO REACHABILITY") total >= 10 percentage >= 50 time_diff >= 30
| convert ctime(first) ctime(last)
| table Type, CompleteDescription, count_type, count, percentage
| sort - percentage, total If you're still having issues, could you provide sample events?
... View more