I'm trying to create a timeline of events and I'm running into an issue when certain steps are repeated and the data is out of order.

My data originally comes from DB Connect so this is the format:
Batch# Step# StartTime EndTime

I'm trying to combine them into a transaction so I can get times between each step as well as duration of each step. It works great when I only have a single Step1 but when I have more than one I'm running into issues.

Since the data is coming from DBConnect the records don't show up in the order of actual time they happened.

This is essentially how things show up out of order:
_time Batch Start_Time
2018-04-30 20:01:21.100 Batch1 Step1 2018-04-30 19:00:18.0
2018-04-30 21:01:20.939 Batch1 Step1 2018-04-30 20:00:58.0
2018-04-30 21:01:20.939 Batch1 Step3 2018-04-30 20:53:05.0
2018-04-30 21:01:20.939 Batch1 Step1 2018-04-30 20:52:18.0
2018-04-30 21:01:20.939 Batch1 Step2 2018-04-30 20:52:20.0

I can get things together but then I have a multivalue field with any number of values.
Step1 2018-04-30 19:00:18.0 Step2 2018-04-30 20:52:20.0 Step3 2018-04-30 20:53:05.0
Step1 2018-04-30 20:00:58.0
Step1 2018-04-30 20:52:18.0

This is what I want:
Step1 2018-04-30 20:52:18.0 Step2 2018-04-30 20:52:20.0 Step3 2018-04-30 20:53:05.0

I have my search set up which captures all of the data but I still end up with 3 start times for step 1. When I try to add a startswith to my transaction it breaks things apart incorrectly and I can't use an endswith to fix it because the end changes.

This is the search I have currently:

index=foo source=bar 
| eval Step1_Start = case(Task_Name="Step1",Start_Time)
| eval Step2_Start = case(Task_Name="Step2",Start_Time)
| eval Step3_Start = case(Task_Name="Step3",Start_Time)
| transaction Batch_Id 
| table Batch_Id Task_Name Step1_Start Step2_Start Step3_Start

I'm not sure if I need to collect the data differently or work from the multi-value field. Any help/guidance would be appreciated.