The latter of the two is an example I created that is very similar to the actual search results I am seeing. ... View more

Yes, I was referring to Splunk's _time.   | transaction ID startswith="message=Faulted" endswith="message=Completed" This search returns no results.   This sort does not change the results. ... View more

It seems that syntax does not successfully convert StartTime to epoch. When you table the sTime , no results are visible and the sort does not work. I also tired | eval sTime = strptime(startTime,"%FT%T.%QZ") and | eval sTime = strptime(StartTime, "%Y-%m-%dT%H:%M%S.%3Q%Z) and | eval sTime = strptime(StartTime, "%Y-%m-%dT%H:%M%S.%QZ) and | eval sTime = strftime(StartTime, "%Y-%m-%dT%H:%M%S.%QZ) ... View more

These are the results when I use a sort before the transaction command:   sort -status    = no results sort -message   = no results sort -time  = sorted based on time but no change to logs that are used in the results. Still complete then fail. ... View more

I am unable to provide a copy of the logs, but I can create an example myself:   _time                                 Name       ID          status     message         start time                         endtime 2026-05-22  00:00:30:900                    Log1            123                     4                      Complete            2026-05-22T04:00:30.900Z                  2026-05-22T04:00:40.03Z                                                                                                                                               5                    Failed         2026-05-22T08:02:00.888Z               2026-05-22T08:02:10.933Z In this example, the fail is showing with the completion that happened prior to the failure, when instead, I want it to show the completion after. This example shows the results after they have been tabled. ... View more