index=**** source_type=** cf_app_name=** api_call="*" | where like (api_call, "%xyz%") | table _time,response_code, duration,api_call | bin _time span=1d | appendpipe [ | chart count over api_call by response_code ] | stats sum(*) as *,count as Number_Of_Calls,perc95(duration) as perc95_duration,avg(duration) as avg_duration by api_call | eval perc95_duration=round(perc95_duration,3),avg_duration=round(avg_duration,3) | sort - _time | fields - duration,response_code | table api_call,_time,*,Number_Of_Calls my _time column is always blank. Either _time or response codes are filled in.
... View more