search index and sourcetype: index=your_app sourcetype=your_metrics

include traceid events: index=your_app sourcetype=your_metrics TRACE_ID=”"

expand search to 60 minutes and events where response time is greater than 5ms: earliest=-60m latest=now EXE_TIME>5

find count(volume), average, minimum, maximum, and standard deviation: earliest=-60m latest=now EXE_TIME>5 | stats counts as volume, avg(EXE_TIME), min(EXE_TIME) as minimum, max(EXE_TIME) as maximum, stdev(EXE_TIME) as stddev

group by operation: index=your_app sourcetype=your_metrics TRACE_ID=”" earliest=-60m latest=now EXE_TIME>5 | stats counts as volume, avg(EXE_TIME), min(EXE_TIME) as minimum, max(EXE_TIME) as maximum, stdev(EXE_TIME) as stddev by OPERATION