Thanks for the reply jochen. Can you give me an idea of what path I’d need to go down to get this to work? Is this a matter of doing something with a pipeline or would I need to get deeper than that? I know that I can do this with elapsed in ELK and transaction in Splunk but I’m really liking Graylog and would much prefer to stick with it. TIA!