Please share an example of what your log lines look like to help consider the query.
thanks for the response.
We can refer below log statements and keywords for our query - transaction submitted (log 1), transaction in-progress (log 2), transaction completed (log 3)
Can there only ever be a single transaction submitted at any time, so you could not have
transaction submitted (1)
transaction in-progress (1)
transaction submitted (2)
transaction in-progress (2)
transaction completed (2)
transaction completed (1)
another issue is how do you want to handle a transaction that starts inside your 30 minute window but has not yet finished, so has no log2 or log3?
you can do something simple like this
<your search>
| stats
sum(eval(if(match(type,"transaction submitted"), 1, 0))) as Submitted
sum(eval(if(match(type,"transaction in-progress"), 1, 0))) as InProgress
sum(eval(if(match(type,"transaction completed"), 1, 0))) as Completed
| where !(Submitted=InProgress AND Submitted=Completed)
where the field 'type' contains your log type.
Or you can use the 'transaction' command with
| transaction startswith="submitted" endswith="completed" keeporphans=t
| where _txn_orphan=1 OR eventcount<3
and this will return only those transactions that do not have submitted/completed and also do not have 3 events in total.
Note that using transaction is not the best approach, as you need to consider your data size, duration of a typical transaction and other things that may affect memory usage, as you can see random results if memory becomes an issue.