Agree with others that your purpose is better served by knowing your data.  Given what you have revealed, you can simply describe the four events and lay them out with xyseries. index=application_na sourcetype=my_logs:hec appl="*" message="***" | eval event = case(match(message, "Received request"), "DoPayment start", match(message, "Sending result"), "DoPayment end", match(message, "Sending request"), "OtherApp start", match(message, "Received result"), "OtherApp end") | eval _time = strftime(_time, "%F %T.%3N") | xyseries interactionid event _time Obviously regex's used in the match functions are just to illustrate what you can do.  But xyseries can achieve what you want without complex transformations.  Using your mock data, the output is interactionid DoPayment end DoPaymet start OtherApp end OtherApp start 12345 2025-06-26 07:55:58.017 2025-06-26 07:55:56.317 2025-06-26 07:55:57.512 2025-06-26 07:55:56.717 Here is an emulation you can play with and compare with real data | makeresults format=csv data="interactionid,_time,message 12345,2025-06-26 07:55:56.317,TimeMarker: WebService: Received request. (DoPayment - ID:1721 Amount:16 Acc:1234) 12345,2025-06-26 07:55:56.717,OtherApp: -> Sending request with timeout value: 15 12345,2025-06-26 07:55:57.512,TimeMarker: OtherApp: Received result from OtherApp (SALE - ID:1721 Amount:16.00 Acc:1234) 12345,2025-06-26 07:55:58.017,TimeMarker: WebService: Sending result @20234ms. (DoPayment - ID:1721 Amount:16 Acc:1234)" | eval _time = strptime(_time, "%F %T.%N") | sort - _time ``` above emulates index=application_na sourcetype=my_logs:hec appl="*" message="***" ```   ... View more

You still need the timechart from your original search my query | rex field=_raw "Time=(?<NewTime>\d{4}\.\d+)" | eval TimeMilliseconds=(NewTime*1000) | timechart span=1d count as total, count(eval(TimeMilliseconds<=1000)) as "<1sec", count(eval(TimeMilliseconds>1000 AND TimeMilliseconds<=2000)) as "1sec-2sec" count(eval(TimeMilliseconds>2000 AND TimeMilliseconds<=5000)) as "2sec-5sec" count(eval(TimeMilliseconds>48000 )) as "48sec+", by msgsource | untable _time msgsource count | eval group=mvindex(split(msgsource,": "),0) | eval msgsource=mvindex(split(msgsource,": "),1) | eval _time=_time.":".msgsource | xyseries _time group count | eval msgsource=mvindex(split(_time,":"),1) | eval _time=mvindex(split(_time,":"),0) | table _time msgsource total * ... View more

@kuul13  This is a straightforward use of the chart command, see this run anywhere example | makeresults count=20 | fields - _time | eval ClientName=mvindex(split("ABC",""), random() % 3) | mvexpand ClientName | eval ClientName="Client ".ClientName | eval apiName="retrievePayments".mvindex(split("ABCD",""), random() % 4) | chart count over ClientName by apiName This sets up some example data and then uses the chart command do to the tabling you need. ... View more