There are plenty of ways to go about it, rex is one way but then I am partial to regular expressions.
sourcetype="xxx" (country="CO*" OR country="VE*" OR country="PE*")
| rex field=country "^(?<country_code>[A-Z]*)"
| ...
The rex clause will extract the 2 digit country code into a new field called country_code.
BTW, I am not sure if you actually want to use the transaction command in your query - transaction will merge all log entries with the same transID into one big entry and I am not sure what avg will actually be returning in this case as there are multiple records which might have multiple duration fields.
One thing is for sure - transaction makes queries really slow when there's a fair amount of data involved so if you simply need the average duration per log entry and split by country code you wouldn't need it.
... View more