I am using this query to see by day what sessions had requests without responses:
sourcetype=log4j "XML Sent to Service" OR "XML Response from Services"
| search "purchaserequest" OR "purchaseresponse"
| rex "(? \d\d\d\d\-\d\d\-\d\d) .* -\s+\S+:(? [^ ]+) -.*"
| eval request=if(match(_raw,"\ "),1,0)
| eval response=if(match(_raw,"\ "),1,0)
| stats sum(request) as numRequests sum(response) as numResponses by date, sessionid
| where numRequests > numResponses
| sort date
... View more