For some reason there are entries that are not grouped together, but obviously look like they should be. In the following table, 2 rows with serviceTicketId = 00dcfe68-25d8-4c58-9228-5fc8f7ddb9d1 are on separate rows, other serviceTicketIds such as 00c093f4fc527e5ff7006566b1a0fd90 have one row, but multiple event times.

Here is my query:

(index=k8s_main "*Published successfully event=[com.nordstrom.customer.event.OrderLineReturnReceived*") OR (index="k8s_main" cluster="nsk-oak-prod" "namespace"=app04096 "*doPost - RequestId*") OR (index=k8s_main container_name=fraud-single-proxy-listener message="Successfully sent payload to kafka topic=order-events-avro*" contextMap.eventType="OrderLineReturnReceived")
| rename contextMap.orderId AS nefiOrderId contextMap.serviceTicketId AS nefiServiceTicketId
| rex field=eventKey "\[(?<omsOrderId>.*)\]"
| rex field=serviceTicketId "\[(?<omsServiceTicketId>.*)\]"
| rex "RequestId:(?<omniServiceTicketId>.*? )"
| rex "\"orderNumber\":\"(?<omniOrderId>.*?)\""
| eval appId = mvappend(container_name, app)
| eval orderId = mvappend(nefiOrderId, omsOrderId, omniOrderId)
| eval serviceTicketId = mvappend(nefiServiceTicketId, omsServiceTicketId, omniServiceTicketId) 
| stats dc(_time) AS eventCount values(_time) AS eventTime values(appId) AS app BY serviceTicketId orderId
| eval timeElapsed = now() - eventTime