...

Groups the results by User ID and orders them by most common User ID.

_source=BridgeServer2-Prod MetricsFilter | parse "\"user_id\":\"\"" as userId nodrop

This simple query parses the userId from our MetricsFilter. The nodrop means that if the line doesn’t have a userId, we still preserve the line in our results, but the parsed userId shows up as blank.

Graphs

_source=BridgeServer2-Prod MetricsFilter | parse "\"elapsedMillis\":*}" as latency | num(latency) | timeslice 1h | pct(latency,50,95,99) by _timeslice | order by _timeslice asc

...