In addition to the `count(eval())` options with stats as have already been suggested, another option would be to create a field that classifies your events by the durations you're interested in... then stats count by that new field... If you have the specific ranges that you're interested in...you could use eval to construct a classifier, and then stats count by that classifier. <base search> | eval classifier=case(time<100, "<100", time<200, "<200", time<300, "<300", true(), ">=300" ) | stats count by classifier Since you have a numeric field, you could use bin to make those classifiers instead: <base search> | bin time as classifier span=100 | stats count by classifier And of course there are many other methods of creating a classifier field (single or multi-valued), but the downside to doing a simple by clause is of course is that if you don't have a particular expected range/classifier in your data, you simply won't have that particular range in your output, which depending on your use case may be alright, or may be a problem.
... View more