I am trying to use the transaction command to group events within 5 minutes of each other, and have set up fields to show start time, end time, and duration. With the way I've written my search, my end time is the start time of the last event, not the actual end time, since the last event has it's own duration. How can I get the transaction command to set the end time as the end time of the last event, with the duration of the event added to the total transaction as well? I found this problem when there was a single event for a particular user, and start time and end time were the same, since there was not another event to go along with it. This also resulted in the duration being 0, even though that was not correct. Here's my current search: index search ... | transaction maxpause=5m src_user | eval "endtime"=_time+duration | convert ctime("endtime") | eventstats sum(bytes_in) as "tbytesin" by _cd | eventstats sum(bytes_out) as "tbytesout" by _cd | addtotals fieldname=tbytes tbytes* | eval cduration=tostring(duration, "duration") | eval tbytesin = tostring(tbytesin, "commas") | eval tbytesout = tostring(tbytesout, "commas") | eval tbytes = tostring(tbytes, "commas") | eval tbytesin = "_ " + tbytesin | eval tbytesout = "_ " + tbytesout | eval tbytes = "_ " + tbytes | table src_user,_time,endtime,cduration,src_ip,tbytesin,tbytesout,tbytes | sort _time desc | convert timeformat="%m/%d/%Y %H:%M:%S" ctime(_time) | rename _time AS "Start Time",endtime AS "End Time",cduration as Duration,src_user AS "User",src_ip AS "IP Address",tbytesin AS "Total Bytes In",tbytesout AS "Total Bytes Out",tbytes AS "Total Bytes" Can anyone help me with the last piece to this puzzle? ... View more