Information in each log record are: timestamp, client_ip_address, api, process_micros
sourcetype=requests source="*STATUS*"
| transaction client_ip_address maxspan=7m maxpause=1m keeporphans mvlist=t
| eval client_ip_address=mvindex(client_ip_address,0)
| eval munge=mvzip(api, process_micros, "|") | fields - api, process_micros
| mvexpand munge
| eval api=replace(munge, "\|.*$", "")
| eval process_micros=replace(munge, "^.*\|", "")
| eval munge=client_ip_address. "|" . _time
| chart count sum(process_micros) AS process_micros OVER munge BY api
| eval client_ip_address=replace(munge, "\|.*$", "")
| eval _time=replace(munge, "^.*\|", "")
| table _time, client_ip_address, duration, eventcount, count*, process_micros*, total_count, total_process_micros
missing & required are total_count = sum(count*) for the transaction, and total_process_micros = sum(process_micros*), and duration from the transaction
... View more