I figured out the following, can this be tweaked?

sourcetype="access_log" host=hstname* USERID "search"
| eval headers=split(_raw," ")
| eval method=mvindex(headers,5)
| eval Request=mvindex(headers,6)
| eval Status=mvindex(headers,8)
| eval Payload=mvindex(headers,9)
| eval req_time=mvindex(headers,10)
| eval uri=mvindex(headers,11)
| eval Method=replace(method,"\"","")
| eval uri=replace(uri,"\"","")
| eval RequestTime_Seconds = req_time*0.001
| eval Response_Time_in_Seconds= round(RequestTime_Seconds,2) | table Response_Time_in_Seconds host _time Request Status | where Response_Time_in_Seconds > 5

The Output i get:

Response_Time_in_Seconds host _time Request Status
1 5.89 HOSTNAME 2021-08-20 02:40:31 /rest/api/2/search 200
2 7.34 HOSTNAME 2021-08-20 04:42:25 /rest/api/2/search 200