I think this will help ...

index=wineventlog EventCode=6006 OR EventCode="6005" Type=Information
| transaction host startswith=6006 endswith=6005 maxevents=2
| eval Units=case(duration<60, " Sec", duration<3600, " Min", duration<86400, " Hours", duration>86400, " Days")
| eval Duration=case(duration<60, duration, duration<3600, duration/60, duration<86400, duration/3600, duration>86400, duration/86400)
| table _time host duration Duration Units