There is no "search for specific values in any field" - where you have placed the token, it effectively searches the _raw field, and there doesn't appear to be anything wrong here. You have already got a "token-related condition". Please provide examples where this is not working for you, particularly with events which should have been found for a particular token value, or events which were found which shouldn't have been.

Hi @phanikumarcs , you have to declare the field that you want to use for the value in the text input, otherwise it willsearch in the raw text, and e.g. the host field usually isn't in the raw event, but in metadata. but this add to your dashboard an additional issue: if the eventId field isn't present in all the events, adding event_Id=* will exclude from the results all the events without this field, so beware to how you use this input. Ciao. Giuseppe

@gcusello great, understood. Suppose when i want to search the Server field value (goo1) in the EventID Textbox, it will display the results of goo1, similar to other fields as well (Message, Severity)

@ITWhisperer No, its not about the search  | where _time=$eventid$ OR EventID=$eventid$ OR Server=$eventid$ OR Message=$eventid$ OR Severity=$eventid$ Make it as simple, when you search for specific values in any field (for example, EventID, Server, Message, or Severity) in the search input "Textbox", the system will display relevant data related to those fields. This allows for easy and straightforward searching based on the criteria. Reference Image: In the code I provided earlier, what changes are necessary for token-related conditions?

Hi @phanikumarcs , at first, if you want o use the text input only on eventid input, you should modify your search in : <row> <panel> <title>EventID-Severity Matrix</title> <input type="text" token="eventid" searchWhenChanged="true"> <label>Search EventID</label> <prefix>EventID="</prefix> <suffix>"</suffix> </input> <table> <search> <query> index IN ("foo1", "foo2", "foo3") host IN ("goo1", "goo2", "goo3", "goo4") EventID IN ("1", "1021", "1069") Name=* $eventid$ | fields EventID Name host | eval Severity=case( EventID="1", "Information", EventID="1021", "Warning", EventID="1069", "Critical",) | rename Name as Message, host as Server | table _time, EventID, Server, Message, Severity</query> <earliest>$time.earliest$</earliest> <latest>$time.latest$</latest> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </table> </panel> </row> otherwise the token will search on the raw text instead on the EventID field. Then is eventid a field present in all the events or only in part of them? if you use * in the text box, you exclude from the results the events without the EventID field. Ciao. Giuseppe

At first glance, there doesn't appear to be anything wrong with your search as you have shown it. Please can you give some examples of events which are not found and the search string used which failed to find the events?

Since you didn't provide any sample events I had to guess - since you still haven't provided any sample events I can only guess whether this is right or not. Since it apparently isn't giving what you want, I would guess it isn't right. In your search, what is count? Is it a field in your events?

@gcusello Here is the code <row> <panel> <title>EventID-Severity Matrix</title> <input type="text" token="eventid" searchWhenChanged="true"> <label>Search EventID</label> </input> <table> <search> <query>index IN ("foo1", "foo2", "foo3") host IN ("goo1", "goo2", "goo3", "goo4") EventID IN ("1", "1021", "1069") Name=* $eventid$ |fields EventID Name host | eval Severity=case( EventID="1", "Information", EventID="1021", "Warning", EventID="1069", "Critical",) | rename Name as Message, host as Server | table _time, EventID, Server, Message, Severity</query> <earliest>$time.earliest$</earliest> <latest>$time.latest$</latest> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </table> </panel> </row>

  What is the field used as "volume" ? Is it similar to "count" in stats to get volume ?  I tried this but not working and tried a portion of your query  | bin _time span=1h | stats sum(count) as volume by _time component Its not reporting anything under volume

So, why is Lat/Long included as a data point? Even the tutorial I'm following has the same result, but surely there is a way to not show these since its sort of meaningless? (And don't call me Shirley!)