Hello,

I am trying to get an event inside of a transaction to use for duration calculation. My events currently look like this (for one user):

2021-06-07 17:53:01 UserId:123 Session complete
2021-06-07 17:25:01 UserId:123 Start session
2021-06-07 17:17:01 UserId:123 Choose location for session:231
2021-06-07 15:33:01 UserId:123 Session complete
2021-06-07 14:55:01 UserId:123 Start session
2021-06-07 14:42:01 UserId:123 Choose location for session:212

I want to get the duration of the session from start to completion but also need to session number. I set up my search with a transaction starting with the "Choose" event and ending with the "Session complete" event in order to get the session number with the grouping, but I need to access the "Start session" event to calculate the duration. How should I go about this? My search is below:

index=INDEX host=HOST sourcetype=SOURCETYPE earliest=-1d@d latest=now
| rex field=_raw "UserId:(?<user_id>\d+)\sSession\scomplete"
| rex field=_raw "UserId:(?<user_id>\d+)\sStart\ssession"
| rex field=_raw "UserId:(?<user_id>\d+)\sChoose\slocation\sfor\ssession:(?<session_id>\d+)"
| where user_id<3000
| sort 0 user_id -_time
| transaction user_id startswith="Choose" endswith="complete"