Thanks, @Ryan.Paredez  for trying the suggested solution. It seems we're still encountering the same error referencing additional documentation. Regarding the issue with accessing the secret file '/opt/appdynamics/cluster-agent/secret-volume/api-user', it appears the file might be missing or inaccessible. Additionally, I attempted the examples provided in the link you shared (https://docs.appdynamics.com/appd/23.x/latest/en/infrastructure-visibility/monitor-kubernetes-with-the-cluster-agent/auto-instrument-applications-with-the-cluster-agent/auto-instrumentation-configuration-examples)

Thanks so much! This is exactly what I was trying to achieve. Apologies about the wrongly formatted data, but your dummy data is correct. For wildcard, I meant a field name that appears multiple times but can have any number of different subfields (i.e. `wildcard_field.*`) but I wasn't sure if this was the correct terminology, but your answer does work exactly for this field. Thanks again for your answer. It solves my problem, and I have also learnt a bit more about searching in Splunk, which I really appreciate.

@marnall  Thanks for your reply.  You are right! It is the same problem! But, it was said that it is fixed in 9.1 and I don't have any problem on 9.1.3! However, same bug has re-appeared on 9.2.0.1 again! 

It works perfectly for the specified date, but how do I do include it in my command if I want your answer to be the format for every StartTime : eventtype=windows_index_windows eventtype=hostmon_windows host="///" (Name="///*") OR (Name="///*") OR (Name="///*")  StartTime="*" | table Name, StartTime Sorry if I'm not clear, English is not my first language 

First of all, thanks for creating the dummy data, it was very useful, although slightly wrong. I corrected the data to remove Y1_3 which doesn't exist in your tables nor your desired results. Try something like this | makeresults | eval _raw="ID_A;ID_B;X1;X2 A1;B1;X1_1;X2_1 A2;B2;X1_2A;X2_2 A2;B2;X1_2B;X2_2 A3;B3;X1_3;X2_3 " | multikv forceheader=1 | table ID_A, ID_B, X1, X2 | append [ | makeresults | eval _raw="ID_A;ID_B;Y1;Y2 A2;B2;Y1_2; A2;B2;;Y2_2 A3;B3;;Y2_3A A3;B3;;Y2_3B A4;B4;Y1_4;Y2_4 " | multikv forceheader=1 | table ID_A, ID_B, Y1, Y2 ] | append [ | makeresults | eval _raw="ID_B;ID_C;Z1 B1;C1;Z1_1 B3;C3;Z1_3 B5;C5;Z1_5 " | multikv forceheader=1 | table ID_B, ID_C, Z1 ] | table ID_A, ID_B, ID_C, X1, X2, Y1, Y2, Z1 | eventstats values(ID_C) as ID_C values(Z1) as Z1 by ID_B | eventstats values(X1) as X1 values(X2) as X2 values(Y1) as Y1 values(Y2) as Y2 by ID_A ID_B | eventstats values(X1) as X1 values(X2) as X2 values(Y1) as Y1 values(Y2) as Y2 values(ID_A) as ID_A by ID_C ID_B | mvexpand Y2 | mvexpand X1 | fillnull value="N/A" | streamstats count by ID_A ID_B ID_C X1 X2 Y1 Y2 Z1 | where count==1 | foreach * [| eval <<FIELD>>=if(<<FIELD>>=="N/A",null(),<<FIELD>>)] | fields - count Note that mvexpand can cause memory issues, so you need to check your job status to ensure the search works correctly with real data.

Field names with special characters such as hyphens often need to be quoted with single quotes. index=* uri=validate | eval SLA=1000| stats count as total_calls count(eval('execution-time' < SLA)) as sla_compliant_count