I have logs of conversations, identified by a common field (a unique ID) and an end-marker. Some conversations get aborted without ending normally. I want a search that produces {_time, duration} pairs for every conversation that completed, and either {_time, running-sum} or final-sum for orphan transactions.
I could do this as two separate searches, one to get non-orphans
... | transaction convo_id endswith="end" unifyends=true keeporphans=false | table _time, duration
and one to get the orphans
... | transaction convo_id endswith="end" unifyends=true keeporphans=true | stats count(_txn_orphan) as orphan_count
But I'd rather not compute the transaction and the pipeline up to it twice in a row. Can I combine the last two parts of my search somehow?
... View more