I am trying to pull some stats from splunk around how long a user session was active for.

in the logs i have a logon message, and either a corresponding log off message or a session timeout message and i can correlate the messages by a session token present in each message.

I have the following query which uses transaction to tie everything together

index=diagnostic (host="*ABC*" OR host="*DEF*" OR host="*XYZ*") (mod="Authenticator" AND opn="Logout Service" AND msgId="AUDIT_MSG_005" AND ssoTicket=* ) OR (mod="Authenticator" AND opn="Validate Service" AND msgId="AUDIT_MSG_005" AND ssoTicket=* ) OR (mod="SESSIONTIMEOUT" AND opn="SESSION_TIMEOUT" AND msgId="Working On Key:*")
| rex field=msgId "(?<ssoTicket><TOKEN REX>)" 
| fields ssoTicket,msgId 
| transaction ssoTicket startswith="Validate Service" endswith=("Logout Service" OR "SESSIONTIMEOUT")
| stats avg(duration) as "Avg Sess. Dur(sec)",perc25(duration) as "25th percentile",perc75(duration) as "75th Percentile",perc95(duration) as "95th percentile", max(duration) as "Max Sess. Dur(sec)", dc(ssoTicket) as "Unique Sess.", count(eval(duration>36000)) as "sess. > 10hrs"

However it does not appear to be returning all the results I expect, for instance If i run it for a 24 hour period I don't see any sessions that went over 10 hours. and the overall session count is a lot lower then i would expect for a 24 hour period.

I know there are sessions that hit the time out window as I can see the tiimeout message, and If i search for that session token along with the token of a session that was logged out, the stats look ok.

so how do I get transaction to return all the results i need, or produce the same stats without using transaction?

Thanks