Following should give you duration between request and response. If there are more than two events for a particular request_uuid and session_id, then min(client_timestamp) should give you request time and max(client_timestamp) should give you response time. You can also try first() and last() instead of min() and max().
sourcetype=latency_logs session_id=* (device_name="Device *" OR action="response_received")
| stats count as eventcount min(client_timestamp) as requestTime max(client_timestamp) as responseTime values(device_name) as device_name values(action) as action by request_uuid, session_id
| where eventcount=2 AND isnotnull(action)
| eval duration = responseTime - requestTime
PS:
- Your transaction seems to be a combination of request_uuid and session_id so I have used both in stats query.
- Your last example seems to be having request_uuid from second last event and session_id from first event. Seems confusing or maybe incorrect.
- You can use fieldformat on requestTime and responseTime to show Time in Human readable format and also capture values(location) as location to show location information in final result.
... View more