Thank you very much!
I was looking for such a solution 🙂
I endet up with this one:
index="_audit" action=search NOT search_id=*scheduler* NOT saved_search=*
| rex field=search_id "'.*_(?<s_id>\d+\.\d+)'"
| eval ad_hoc_latency = round(exec_time - s_id, 3)
| eval ad_hoc_latency = max(ad_hoc_latency,0)
| table _time s_id exec_time total_run_time, ad_hoc_latency
| where ad_hoc_latency>0
| eval Description=case(ad_hoc_latency>0 AND ad_hoc_latency<=0.5,"0-0.5", ad_hoc_latency>0.5 AND ad_hoc_latency<=2,"0.5-2", ad_hoc_latency>2 AND ad_hoc_latency<=5,"2-5", ad_hoc_latency>5 AND ad_hoc_latency<=15,"5-15",ad_hoc_latency>15,">15")
| timechart span=10m count by Description
... View more