This only works if there are multiple results on the chart, not a single line. In those cases, the colors ARE different. Your method can choose the color set used, but it has nothing to do with the search producing multiple results.

Agree....read the question incorrect. I thought he's looking standard colors to pick from....apologize for going tangents

Change your timechart to:

... | timechart avg(duration) AS "Response Time" by RTG_Call

This does work BUT RTG_Call accounts for both request and response. So I'm getting 2 identical lines for each call. So for 8 web service calls, I'm getting 16 lines. Any idea on how I can exclude the dups?

I didn't see the first reply you posted. Can you please elaborate more on the (webcallfield=1 etc..?).. Currently, I have it set up like RTG_Call="<GetDeliverySchedule*"and now taking your suggestion, how should I format this? Would it be like this?

(RTG_Call="<GetDeliverySchedule*") = 1 or (RTG_Call="<GetProductAvailability*") = 2)

No, I didn't have your search string that produced your results, so it was an example of different web calls. Your search should work perfectly fine. To translate, where I was using an arbitrary name of webcallfield you used your real field name of RTG_Call.

Try adding:

... | dedup RTG_Call

To the end.

I added this and nothing is coming back

| timechart avg(duration) AS "Response Time" by RTG_Call | dedup RTG_call

Hrm. Perhaps place the dedup before timechart.

I just tried this and it excluded all my data except for one line but kept the dupes in calls (request and response for each call). I think this will work if I get the example you posted above working. I currently have RTG_Call="<GetDeliverySchedule*"but how should I format this? You say I can set each call = 1,2 etc.. but this would mean that it has 2 equal signs in it which would mess it up. How should I format this?

Would it be like this?

... | timechart ((RTG_Call="<GetDeliverySchedule*") =1 ) AS DeliverySchedule1 

In your search, you have RTG_Call="GetDeliverySchedule*". Does that mean there are two values that match due to the * at the end? Is this why you have 16 items not 8?

Yes correct, when I did the extraction, RTG_Call picks up the request and response. So when I use RTG_Call="GetDeliverySchedule*"this means the request and response.

GetDeliverySchedule is the request and GetDeliveryScheduleResponse is our response. So using a star (*) after GetDeliverySchedule would allow us to get both. In this case when I graph it, the request and response have identical response times, so would there be anyway to just exclude the responses?

Could I do a NOT GetDeliverySchedule* somewhere in my search to get rid of the dupes?

Try this (I just tested it with a similar search):

... | where NOT match(RTG_Call,"Response$")

That will remove the events with *Response at the end. If you want to keep those and not the others, remove the NOT.

I'm trying it with 2 web services for simplification and if it works then I'll include all the other ones. I just tried your suggestion and unfortunatly still getting the responses. Below is my search

index=unleashed RTG_Call="<GetDeliverySchedule*" OR RTG_Call="<GetProductAvailability*" | transaction GUID startswith="fterReceiveRequest" endswith="BeforeSendReply" | timechart avg(duration) AS Response by RTG_Call | where NOT match(RTG_Call,"Response$")

No, my example was a fictitious search to find fields that could be acted upon.

I've included 8 calls and grouped them together using a GUID which is a unique identifier for the request and response. There will only be 2 of the same GUID's, one attached to the request and the other attached to the response so we're able to tie together the request and response. This provides a good timechart of the response times, but only gives ones line of the average response time across all calls. I need to split the calls up and let them have their own line.

index=unleashed RTG_Call="GetDeliverySchedule*" OR RTG_Call="GetProductAvailability*" OR RTG_Call="GetRelatedOrder*" OR RTG_Call="CreateOrder*" OR RTG_Call="MultiFindInShowroom*" OR RTG_Call="InqGeAuthorization*" OR RTG_Call="InqTdrsAuthorization*" OR RTG_Call="GetOrder*" | transaction GUID startswith="fterReceiveRequest" endswith="BeforeSendReply" | timechart avg(duration) AS "Response Time"