no joy 😞 . I had tried that one earlier but tried it again and no luck. Something tells me it has to do with this mvzip/mvexpand thing you helped me with before. Maybe the whole query would help

index="camera_status" sourcetype=access_combined_camerastatus 8773|rex max_match=0 "Premise=\s+(?<premiseid>\d+)"|rex max_match=0 "Mac=\s+(?<macid>[a-fA-F0-9\.:-]{12,17})"|rex max_match=0 "RSSI=\s+(?<rssiid>[^\s]+)"|rex max_match=0 "Model=\s+(?<cmodel>.+)"|dedup macid|eval temp=mvzip(macid,rssiid,"###") |mvexpand temp | rex field=temp "(?<macid>.+)###(?<rssiid>.+)"|eval rssiid=if(rssiid="dB",0,rssiid)|eval rssiid=if(cmodel="iCamera2-C" AND rssiid!=0, rssiid+-20,rssiid)|stats list(macid) as MAC, count(macid) as "Number of Cameras", list(rssiid) as RSSI  by premiseid|sort premiseid RSSI|rename RSSI as "Current RSSI"|rename premiseid as "PREMISE - Click for Detail"

Whats the output of above command (what values are there in rssiid column, are they zero ?).

Here is a sample

Current RSSI

0
0
-47
0

-27
-60
-45
-47
-59
-48

-52
-61
0
0

-51
-35
-45
-52
-45
-45

Try adding this eval before the iCamera2 eval

...| eval rssiid=tonumber(trim(rssiid)) |eval rssiid=if(cmodel="iCamera2-C....."

Got it, using your help on the mvzip as a primer 🙂 . TY!!!

index="cox_camera_status" sourcetype=access_combined_cox_camerastatus |rex max_match=0 "Premise=\s+(?<premiseid>\d+)"|rex max_match=0 "Mac=\s+(?<macid>[a-fA-F0-9\.:-]{12,17})"|rex max_match=0 "RSSI=\s+(?<rssiid>[^\s]+)"|rex max_match=0 "Model=\s+(?<cmodel>.+)"|dedup macid|eval temp=mvzip(mvzip(macid,rssiid,"###"),cmodel,"###")|mvexpand temp | rex field=temp "(?<macid>.+)###(?<rssiid>.+)###(?<cmodel>.+)"|eval rssiid=if(cmodel="iCamera2-C" AND rssiid!=0, rssiid+-20,rssiid)|eval rssiid=if(rssiid="dB",0,rssiid)|stats list(macid) as MAC, list(cmodel) as "Camera Model" count(macid) as "Number of Cameras", list(rssiid) as RSSI  by premiseid|sort premiseid RSSI|rename RSSI as "Current RSSI"|rename premiseid as "PREMISE - Click for Detail"