Personally, I feel that transaction deserves some love. I know it is an expensive command, but it is also a powerful one with some very useful features. If you decide to keep using transaction , you can simply add the keepevicted=t flag to the transaction command to get the information you want.
It will add a closed_txn field which denotes transactions that were:
Opened and closed (both the startswith and endswith conditions were met). In this case, closed_txn=1
Only opened (only the startswith condition was met and therefore the transaction was evicted). In this case, closed_txn=0
So to find jobs that started but didn't complete in your time window, add | search closed_txn=0 to your search after the transaction command. If the search is running too slowly, use fields to reduce your field extractions prior to running your transaction. The whole thing might look something like this:
....search .... EventDescription="Job Created" OR EventDescription="Job Completed"
| fields Job_ID
| transaction Job_ID startswith="Job Created" endswith="Job Completed" keepevicted=t | where duration>0
| eval Job_Status=if(closed_txn=0, "Incomplete", "Complete")
| eval StartTime=strftime(_time, "%m-%d-%y %H:%M:%S"), EndTime=strftime(_time+duration, "%m-%d-%y %H:%M:%S")
| eval JobDuration = floor(duration/60/60)." Hours "
| table Job_ID Job_Status StartTime EndTime JobDuration
If interested in this approach, have a look at keepevicted in the docs here.
... View more