That's what I was looking for, Thanks again @jacobpevans  ... View more

@jacobpevans , Can I ask a related question. I would like to extract the time associated with the events as well. I used the below search which is giving me the Time values but the times themselves are sorted in ascending order and not really related to the events with the maximum duration. Any pointers as to what I got wrong?   | makeresults | eval _raw = "2021-02-17 09:09:50 Calculated ABC. Action took 100 milliseconds" | append [ | makeresults | eval _raw = "2021-02-17 10:09:50 Calculated XYZ. Action took 122450 milliseconds" ] | append [ | makeresults | eval _raw = "2021-02-17 11:09:50 Calculated ABC. Action took 10 milliseconds" ] | append [ | makeresults | eval _raw = "2021-02-17 12:09:50 Calculated XYZ. Action took 67543 milliseconds" ] | append [ | makeresults | eval _raw = "2021-02-17 14:09:50 Calculated ABC. Action took 11 milliseconds" ] | append [ | makeresults | eval _raw = "2021-02-17 15:09:50 Calculated XYZ. Action took 5 milliseconds" ] | append [ | makeresults | eval _raw = "2021-02-17 16:09:50 Calculated ABC. Action took 600 milliseconds" ] | rex field=_raw "Calculated (?<ACTION>[^\.]+)\." | rex field=_raw "Action took (?<DURATION>\d+) milliseconds" | eval _time = strftime(_time,"%F %H:%M:%S") | sort 0 ACTION -DURATION | streamstats count by ACTION | where count <= 2 | stats list(DURATION) as "Top 2 Durations", values(_time) as Time by ACTION      ... View more

Thank you @jacobpevans, that worked like a charm! ... View more