Kristian,
Thanks for this, I'm getting somewhere, I think.
Searching within one minute's span (2012-09-07 01:03),
category=api_request OR category=api_response | stats c by api_transaction | search c=1 category=api_request
696 matching events, 0 results
category=api_request OR category=api_response | stats c by api_transaction | search c=1
696 matching events, 5 results
I guess the trick is that category qualifer in your example weeds out api_response entries at the beginning of 01:03 for which api_request entries came in earlier at 01:02?
... View more