@gcusello Yes, I am populating the data in the _time field. I can see timestamp in _time in the output but it does not seem to use "_time" field for indexing. I tried both epoch and formatting like below.
| makeresults
| eval moduleName="".module.""
| eval uri="<<<URL>>>"
| eval header="<<<Header INFO>>>"
| curl method=get headerfield=header urifield=uri
| spath input=curl_message
| table "result{}.metricId" "result{}.data{}.values{}" "result{}.data{}.timestamps{}" moduleName
| rename "result{}.data{}.values{}" as "Failures"
| rename "result{}.data{}.timestamps{}" as "Time"
| eval tmp_field = mvzip(Failures, Time, "-|-")
| fields tmp_field moduleName
| mvexpand tmp_field
| makemv delim="-|-" tmp_field
| eval Failures = mvindex(tmp_field, 0)
| eval Time = mvindex(tmp_field, 1)
| eval _time=strftime((Time/1000),"%Y-%m-%dT%H:%M:%S.%Q")
| fields - tmp_field Time
| search Failures!=null
| table _time moduleName Failures
