track=prod app=servicename
| stats earliest(_time) as start latest(_time) as end by TrackingId
| eval response=end-start
| stats avg(response) This assumes that you are not just after the elapsed value from the log entry shown. Also, the problem with this method is that TrackingIds may span your time boundaries i.e. there could be entries before the time period starts for TrackingIds in the time period, and similarly entries after the time period ends which don't get included in the calculation giving lower response times. If you just need the elapsed time from the log entry, assuming it isn't already extracted, you could use | rex "elapsed=(?<elapsed>\d+)"
| stats avg(elapsed)
... View more