Hi @yuanliu ,    Few results were wrong, I don't know why!   When I'm checking with in search, It is having macro1 as value but when I'm checking with that macro, there we are having that host. Thanks in Advance!

This does not work for me. It evaluates to "NaN". I guess the issue beeing, that $timepicker.xxx$ is filled with "-24h@h" for example, rather than UNIX time.  Maybe it would make sense to post this as a seperate question. "how to convert "-24h@h" or so into UNIX time"?

Thank you very much yuanliu, now only one task is pending is what if I want to see name of  the firewall should be display there  from fields either firewall_name or firewall_hostname  which are not matching along with their count on single search.  Please help me with that also.

>>> I am not able to share the actual logs, since they are client specific. to use the spath command, we should check the json format.  so, pls remove all client specific things like ip address, hostnames, usernames, etc.. replace them with sample data... like firstname:adam, etc.. and paste the json.. 

It is not clear what is not working - do the dropdowns display? do the searches that populate the dropdowns work on their own? is your wireless mouse fully charged and working? have you switched the screen on? 

In other words, you only want count of matching records as well as count of non-matching records.  Using a similar aggregation as @gcusello provides, but just do counts. | inputlookup ABC.csv | eval lookup="ABC.csv" | fields Firewall_Name lookup | append [ | inputlookup XYZ.csv | eval lookup="XYZ.csv" | rename Firewall_Hostname AS Firewall_Name | fields Firewall_Name lookup ] | stats values(lookup) as lookup by Firewall_Name | eval lookup = if(mvcount(lookup) > 1, mvjoin(lookup, " + "), lookup . " only") | stats count by lookup In the scenario you described, you will get a table like lookup count ABC.csv only 150 ABC.csv + XYZ.csv 849 XYZ.csv only 1 If you don't care about ABC.csv only, you can eliminate in the if function, like | inputlookup ABC.csv | eval lookup="ABC.csv" | fields Firewall_Name lookup | append [ | inputlookup XYZ.csv | eval lookup="XYZ.csv" | rename Firewall_Hostname AS Firewall_Name | fields Firewall_Name lookup ] | stats values(lookup) as lookup by Firewall_Name | eval lookup = case(mvcount(lookup) > 1, mvjoin(lookup, " + "), lookup == "XYZ.csv", lookup . " only", true(), null()) | stats count by lookup

Thanks for the clarification on the _internal index retention. It was certainly a File & directories input. The person that created the input/index has since left & I need the source file to replicate the regex/indexing. I'll see what I can dig up outside of Splunk. Appreciate the input!

@bowesmana The problem with this method (which I hinted at) is that the field in question is already a multi-value field, and this method hides the second value (which with this method would be an indicator for the colour), but it looks like (from the search shared by OP) this may contain actual data values.

When looking at the job inspector there seems to be a massive difference (I am a novice at debugging this)  the normalizedSearch looks very different (due to chaining?).  Im unable to progress this further due to prestats command not being recognised - was hoping to recreate the search step by step to understand where this breaks so I can ask our splunk gurus a focused question 

Thanks for responding - when I run the search chained I get NULL, whereas when I run it in a single block, i get separation by severity field in severity.  (I've obfuscated the search a bit) Expected behaviour index=my_index | spath eventClass | search eventClass="my.event" | timechart count(eventClass) by severity Unexpected behaviour (displays graph, but without field separation showing "NULL" Chained Parent index=my_index Chained child  | spath eventClass | search eventClass="my.event" | timechart count(eventClass) by severity  What even more confusing is the graph on the dashboard, when view and clicked on to forward to the standard search and reporting, works.  So the division of the events seems to fail as it something has been lost, passing from parent to child. Thanks again for any time or attention given to this.  Each event is a JSON document logged via HEC, if that's important know.

OK. You're mixing so many different things here that I'm not really sure what you want. You posted this in "Getting Data In" section which typically deals with issues regarding ingesting data from sources into Splunk. You labeled your post with "field extraction" but doesn't mention the extraction in the contents - are your fields properly extracted? Do you need to extract them before searching? And your post is clearly about searching as such. But mentions something you call "XML-based AdHoc Search input/output form". What do you mean? I suggest you check out the "Intro to Splunk" free course on the STEP education portal (see https://www.splunk.com/en_us/training/course-catalog.html )