eval eventTime=_time did the trick , thanks for all the help

@musskopf I have follow up question for same query - can you take a look

http://answers.splunk.com/answers/194858/remove-unique-rows-from-table.html

transaction is working fine because it gives me multiple eventCount based on # of similar IDs

Problem is _time is always of the first item that we have in group while using transaction.

ok, so add | eval eventTime=_time before the transaction command:

(status="uploading" OR status="completed") | eval eventTime=_time | transaction id | table id, _time, eventTime

But as I mentioned, Splunk will show it as seconds, you should be able to convert it back using somenthing like: | convert timeformat="%F %T" ctime(eventTime) at the end.

Using t give null and _time still pulls only 1 item

If you take the transaction command off, is your search returning duplicated values on the id column? The transaction command should just "group" all the events having the same "id" and create multi-value fields for cases where the same field has distinct values.

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Transaction

Yes, I mistakenly removed third row which had same ID as first. Let me try your approach.

Sorry but _time is not getting me multiple _time when grouped by id,

(status="uploading" OR status="completed") | transaction id | table id, _time

above query gives only one result time, am I doing something wrong?

P.S : Don't have enuf point to reply to your answer below

Try using:

(status="uploading" OR status="completed") | transaction id mvlist=t | table id, _time

or

(status="uploading" OR status="completed") | transaction id mvlist=_time | table id, _time

Ok, now things changed a bit... You might are looking for the command transaction, which will add the field duration that is exactly the time from the first event till the last event. But in your example, the IDs are different. Should they be the same?