Try doing it with stats instead:
index=ndx sourcetype=srctp
| rex field=_raw "req\-id\S+(?<req_id>\d+)"
| rex field=_raw "com.a.b.App \- (?<sequence>Making a GET Request)"
| rex field=_raw "com.a.b.App \- (?<sequence>Output Status Code)"
| eval sequence=sequence+";"+_time
| stats values(sequence) as sequence by req_id
| mvexpand sequence
| rex field=sequence "(?<sequence>[^;]+);(?<time>\d+)"
| eval time=strftime(time,"%c")
This will extract the "req-id" into a field named req_id, and the start and end of the sequence into a field named sequence
Presuming the sample data you shared is correct, when you stats values(sequence) as sequence, it will put the "Making…" entry first and the "Output…" entry second
Because values() will do this, when you mvexpand and then split the values()‘d field part into sequence and time, they’ll be in the proper order
If the sample data is incomplete, you may need to tweak the regexes for populating sequence
from User warren – Stack Overflow https://stackoverflow.com/questions/75459984/how-to-find-time-duration-between-two-splunk-events-which-has-unique-key/75460511#75460511
via IFTTT