Hi @ramana4u,
the solution from @yuanliu will surely work, but I don't like transaction command because it's a very slow command And I prefer to use transaction command only if other solutions will not work.
So please try also this solution:
index=your_index source IN (Request.log, Response.log)
| eval kind=if(source="Request.log","Request","Response")
| stats
dc(kind) AS kind_count
values(kind) AS kind
earliest(eval(if( kind="Request",_time,""))) AS earliest
latest(eval(if( kind="Request",_time,""))) AS latest
BY requestID
| eval duration=latest-earliest
| where (kind_count=1 AND kind="Request") OR (kind_count=2 AND duration>1800)
In addition: use always the index in your main search, you'll have faster searches.
Ciao.
Giuseppe
