Transaction+timechart from complex logs (john the ripper)

Few days ago, a developer has added to John the Ripper the ability to timestamp every line of logs, allowing me to feed them to splunk in order to derive statistics from these data. JtR's logs are complex, starting with a header of several lines giving details about the current session: 2016-02-23T20:43:57+0100 1 0:00:00:00 Starting a new session 2016-02-23T20:43:57+0100 1 0:00:00:00 Loaded a total of 15151 password hashes with 15151 different salts 2016-02-23T20:43:57+0100 1 0:00:00:00 Sorting salts, for performance 2016-02-23T20:43:57+0100 1 0:00:00:00 Remaining 14755 password hashes with 14755 different salts 2016-02-23T20:43:57+0100 1 0:00:00:00 - Node numbers 1-4 of 4 (fork) 2016-02-23T20:43:57+0100 1 0:00:00:00 Command line: ./john --fork=4 --wordlist=password.lst --rules=JUMBO dump.txt 2016-02-23T20:43:57+0100 1 0:00:00:00 - UTF-8 input encoding enabled 2016-02-23T20:43:57+0100 1 0:00:00:00 - Passwords will be stored UTF-8 encoded in .pot file ... After this header, each cracked password yields to a new line, and periodically an info line is printed: 2016-02-23T20:50:38+0100 2 0:00:06:41 + Cracked foo 2016-02-23T20:50:50+0100 1 0:00:06:53 + Cracked bar 2016-02-23T20:50:47+0100 3 0:00:06:49 + pot sync removed 2 hashes; Remaining 14583 hashes with 14583 different salts The session can ends by exhaustion (no more passwords, or no more candidates), or by interrupt (ctrl-c). Message is either: 2016-02-23T22:17:06+0100 2 0:01:33:09 Session completed or 2016-02-24T11:03:47+0100 4 0:00:38:22 Session aborted I would like to be able to track down and compare efficiency of different sessions. Each session has different parameters that can be read from the header ("Command line:" and other header log lines). Efficiency can be measured as the number of "Cracked" in a given period of time. Difficulty for me is to make a timechart , chart, or stats calculation for each session from a single Splunk request so everything is displayed on one graph/chart. I've started investigating transactions, that's quite easy with a first line containing "Starting a new session" and the last containing "Session *ted". But it seems I can't work inside a transaction to create timechart. Any hint?