here are the three queries

here's a sample data

Which part of the data uniquely identifies the process instance id? uuid? name? rootRun? Are any of these already extracted (as interesting fields)?

name=process and is extracted as "business_field"

yes, business_field is the name of the process

So looking at your sample data, business_field would be extracted as "(SaveCurrentDayRecordToDs) ", including the trailing space. This doesn't sound very unique. How do you distinguish one instance of this process running from another instance?

for completed in search i add "completed" and for processing i use "processing" in search and so on.. if you look at the queries its business_field + "status" that's what makes it unique

If they were unique, your chart would have a single count of 1. What I am trying to get to is how you can detect the start of the process instance running and the end of that instance. For example, if your log looks like this

09:00 (SaveCurrentDayRecordToDs) status:READY_TO_PROCESS
09:01 (SaveCurrentDayRecordToDs) status:PROCESSING
09:02 (SaveCurrentDayRecordToDs) status:COMPLETED
10:00 (SaveCurrentDayRecordToDs) status:READY_TO_PROCESS
10:02 (SaveCurrentDayRecordToDs) status:PROCESSING
10:03 (SaveCurrentDayRecordToDs) status:READY_TO_PROCESS
10:05 (SaveCurrentDayRecordToDs) status:COMPLETED
10:06 (SaveCurrentDayRecordToDs) status:PROCESSING
10:10 (SaveCurrentDayRecordToDs) status:COMPLETED

What would you expect the duration of (SaveCurrentDayRecordToDs) to be? How many durations would you want reported?

How do you distinguish each run of SaveCurrentDayRecordToDs from the other from the data in your logs or do you just assume that COMPLETED applies to the previous READY_TO_PROCESS?

Business_field is a value I extracted from the data and it holds different processes within,  this is what i used to extract it rex field=_raw "name\=\w+\s+(?<business_field>.*)\{"     so different processes will have their own "Ready To Process" or "Completed" and i would be able to see it

OK How many SaveCurrentDayRecordToDs READY_TO_PROCESS do you get in your first query?

depends on the time range i select

Can you give an example?

| stats earliest(_time) as start latest(_time) as end by business_field
| eval timetaken=end-start

Why is the time like this? and where is the start time taken from and the end time? 

The time taken is in seconds. If you want it as a duration in minutes and seconds, you could try

| fieldformat timetaken=tostring(timetaken,"duration")

If you want to see the start and end times you could do this

| fieldformat start=strftime(start,"%Y-%m-%d %H:%M:%S")
| fieldformat end=strftime(end,"%Y-%m-%d %H:%M:%S")

To which query do i add it to? "PROCESSING" of "COMPLETE"