Hi, ok, please try this: your_search ("NEW TXN" OR "statusY")
| stats earliest(_time) AS starttime latest(_time) AS endtime count BY TxnId
| eval
status=case(count=2,"Both present",searchmatch("NEW TXN"),"Only NEW TXN",searchmatch("statusY"),"Only statusY"),
starttime=strftime('starttime', "%Y-%m-%d %H:%M:%S.%3N"),
endtime=strftime('endtime', "%Y-%m-%d %H:%M:%S.%3N")
| table TxnId starttime endtime status in this way you can identify all the conditions and take only the ones you want. Ciao. Giuseppe
... View more