Thanks for your reply 🙂  I now created this search:

searchterms
| eval start_time = if(like(_raw, "%START%"), 'start', 'null')
| eval end_time = if(like(_raw, "%END%"), 'end', 'null')
| transaction JobDescription startswith=(LogMessage="* START *") endswith=(LogMessage="* END *") maxevents=5000
| chart count(duration) over _time

The result looks like this:

As you can see, there's always at least one duration during the whole 24 hours. But in reality, there are only a few transactions during day. So I'm wondering: Is it possible that the transaction command returns the "duration" field even for timestamps where the created transaction didn't occour? Or is it just because there might be transactions that collect events which don't contain "END" and are fewer than 5000 in sum?

Thanks again 🙂

Update:
I just set the span to 10 sec and as shown in the picture, the chart is still using just one specific point to view the event. What am I doing wrong?

You're using count of duration which will show you number of values of duration per _time (I don't remember which time it refers to in case of transaction; I'd assume a transaction start time). If you want to chart values for duration you'd need values(duration).

I suppose it might cause some problems if you happen to have two or more transactions beginning at exactly the same moment

I see. But my aim is to have the number of JobDescription displayed on the Y-axis and the _time on the X-axis. The count should increment with the start_time and the graph should keep this values until the end_time is reached. (I hope it's understandable, I'm trying my best :D). Using the values command, we end up with the.. well.. values from duration on the Y-axis. 🙂

I'm beginning to suspect that you want to get something different than I'm trying to do 🙂