First of all, thank you for a good(-ish) description of your issue. Try something like this: | rex "(?<Date>\[[^\]]+\])\s(?<loglevel>\w+)\s-\swire\s(?<action_https>\S+)\sI\/O\s(?<correlationID>\S+)...
See more...
First of all, thank you for a good(-ish) description of your issue. Try something like this: | rex "(?<Date>\[[^\]]+\])\s(?<loglevel>\w+)\s-\swire\s(?<action_https>\S+)\sI\/O\s(?<correlationID>\S+)\s(?<direction>\S+)\s(?<message>.*)"
| eval grouping=correlationID.direction
| stats first(Date) as start last(Date) as end list(message) as message by grouping action_https correlationID loglevel
| eval Date=start
| eval duration=round(1000*(strptime(end,"[%F %T,%3N]")-strptime(start,"[%F %T,%3N]")),0)
| sort 0 Date
| table Date, loglevel, action_https, correlationID, message, duration Note that your example shows unique combinations of correlationIDs and direction. If these are reused in your actual log, you may not get the results you expect. If so, please share a more representative version of your logs.