This is a preview of how the data is indexed initially

https://postimg.org/image/igb8y7ohv/. I couldn't as I don't have enough karma points. Can you see the link now?

yes. i see it now

I assume the events you shared are from a search like this your base search tag=101, right? Because I don't see dn= anywhere. Try the updated query I posted.

the events i have posted are without any search. Just the raw file. When I do search for tag=101 all the dn fields disappear. I did get an output using the new query but the result is different from what I expected and its not a timechart

The graphs should look like this. The first one is for Search count by DN and the second one is for Search count duration by DN. I need help with both please

Try the edited query

I did. It doesn't work. I think you'd be able to solve it if I can send you the log file

That'll be great. Share a few events

Thnx.Ive added a link to the image url for you.

I don't see the link. All I see is alt text. Just paste a few events to your original question

Thnx for the reply. Sorry but it says "No results". If i don't use transaction then the events are not grouped based on conn number. The DN value is only present after the binding is complete so I used transaction so that the dn and SRCH are grouped in same event.