Thanks kamlesh it works now ...i forgot to delete endswith part. I will mark your solution as approved.One more think i would like to add timechart graph to below query how do i do that? My timechart command doesnt work. index=.........|rex " query captures status , jobname and timestamp in format HH:MM:SS"|transaction jobname startswith=(status="STARTING")|eventstats sum(duration) as totalduration by jobname| fields totoalduration jobName status |dedup jobName|eval totalduration=tostring(totalduration,"duration")|eval status = case(mvcount(status)==1,"STARTING",mvcount(status)==2,"RUNNING",1=1,"SUCCESS") |table jobName status totalduration|timechart list(totalduration) by jobName
... View more