I'll do my best to make pseudo SPL here:) index="prod" source="mysource" | transaction startswith=(fieldname=start_field_value OR filename=alternate_start_field_value) endswith=(diff_fieldname=end_value OR diff_fieldname2=alternate_fieldvalue) |stats count You will need to encapsulate your search in "()". If you could share field names, values desired, that would help. I used an old eventgen data set and came up with the following. You can use this with your index(es), sourcetypes, etc. index=main | transaction clientip JSESSIONID startswith=(status=200 action=addtocart) endswith=(status=200 AND action=purchase) | stats count by host You can insert SPL into the "()" to define start and end. I would avoid using clear text search for any of the start/end filters though.
... View more