**search** | eval level = case(source=="fschangemonitor",2) | rangemap field=level low=0-1 severe=2-100 default=severe
Something like that?
I just copied and pasted a search I use to detect Up/Down hosts and to display the status of Up or Down in a coloured box thats red or green dependent on its state.
