Hi @nithys, don' add a new question (even if on the same topic) to a closed question, anyway what's the issue in your search? anyway, you don't need to have two stats command in the secondary search: index="1**" source="2***" | rex "(?ms)statusCode: (?<status_code>\d+)" | stats count by statusCode | appendcols [ search index="1**" source="2**" "republish event" | stats dc(event.body) AS totalrequest ] Ciao. Giuseppe

Hi @Questioner, let me understand: you want to use a special graph using a viz from another app that you should install in your Splunk, is this correct? At first what's ths app? does it come from splunkbase? if yes it isn't a problem, many Splunk apps (also ES) use external apps for special visualizations (e.g timeline). Second If you want a viz you have to install also this app in your Splunk and use it in your own custom app. Ciao. Giuseppe

Thanks all for the reply. Got an update from AppDynamics Support as well that currently the tool doesn't have the requested functionality of license reporting. So suggested to put on Idea exchange. Again thanks all for your valuable replies.

Thanks @dtburrows3  This method worked perfectly. Able to extract the required fields while still keeping associations intact.  although running this at scale, I am getting the following message.   command.mvexpand: output will be truncated at 2200 results due to excessive memory usage. Memory threshold of 500MB as configured in limits.conf / [mvexpand] / max_mem_usage_mb has been reached. Are there any alternatives to mvexpand that would avoid these memory issues? 

To retain the associations for any sort of analysis you may need to mvexpand the "records{}.properties.flows{}.flows{}.flowTuples{}" field itself. stats aggregation using 2 multivalued fields as by-fields can be misleading for the final output. Below is a table of the event you shared on the initial post after using the mvexpand and then extracting out the individual fields after. SPL to do this          | mvexpand "records{}.properties.flows{}.flows{}.flowTuples{}" | eval time=mvindex(split('records{}.properties.flows{}.flows{}.flowTuples{}', ","), 0), src_ip=mvindex(split('records{}.properties.flows{}.flows{}.flowTuples{}', ","), 1), dest_ip=mvindex(split('records{}.properties.flows{}.flows{}.flowTuples{}', ","), 2), src_port=mvindex(split('records{}.properties.flows{}.flows{}.flowTuples{}', ","), 3), dest_port=mvindex(split('records{}.properties.flows{}.flows{}.flowTuples{}', ","), 4), protocol=mvindex(split('records{}.properties.flows{}.flows{}.flowTuples{}', ","), 5), traffic_flow=mvindex(split('records{}.properties.flows{}.flows{}.flowTuples{}', ","), 6), traffic_result=mvindex(split('records{}.properties.flows{}.flows{}.flowTuples{}', ","), 7)     Doing a stats count by src_ip and dst_ip should make more sense using the data formatted in this way.    

@dtburrows3  Thank you for the reply.  Tried these eval and the fields are getting extracted from the tuples, but it seems the association between them is lost.  For this one event, there are total 17 tuples. But after applying evals, resulting stats shows several other combinations between src_ip & dst_ip. Stats for field records{}.properties.flows{}.flows{}.flowTuples{} stats on src_ip,dst_ip after applying eval

Hi @gcusello  I am able to get different  status code in a pie chart ,if i also want to append an another query count to get the "totalrequest" ....its not adding to pie chart How can i add below in pie chart...lets say the total request count say 3 success 200-2(green color) 400 error-1(pink color) 500 error-1(red color) index="1**" source="2***" | rex "(?ms)statusCode: (?<status_code>\d+)" | stats count by statusCode | appendcols [search index="1**" source="2**" "republish event"| stats count by event.body | stats count | rename count as totalrequest]