Please explain what you mean by "spath does not work".  It works for me in this run-anywhere example (escape characters added to satisfy the SPL parser).  What is your query?  What results do you expect and what do you get?     | makeresults | eval data="{\"time\":\"time_here\",\"kubernetes\":{\"host\":\"host_name_here\",\"pod_name\":\"pod_name_here\",\"namespace_name\":\"namespace_name_here\",\"labels\":{\"app\":\"app_label\"}},\"log\":{\"jobId\":\"job_id_here\",\"dc\":\"dc_here\",\"stdout\":\"{ \\\"Componente\\\" : \\\"componente_here\\\", \\\"channel\\\" : \\\"channel_here\\\", \\\"timestamp\\\" : \\\"timestamp_here\\\", \\\"Code\\\" : \\\"code_here\\\", \\\"logId\\\" : \\\"logid_here\\\", \\\"service\\\" : \\\"service_here\\\", \\\"responseMessage\\\" : \\\"responseMessage_here\\\", \\\"flow\\\" : \\\"flow_here\\\", \\\"log\\\" : \\\"log_here\\\"}\",\"level\":\"info\",\"host\":\"host_worker_here\",\"flow\":\"flow_here\",\"projectName\":\"project_name_here\",\"caller\":\"caller_here\"},\"cluster_id\":\"cluster_id_here\"}" | spath input=data | transpose   And the results  

I have below query .how to include into result query.pls advise     Need to include this one into result query | stats values(event) as events by customer | where NOT (events = "s1" AND events = "s2" AND events = "s3") Result query: (index=1 sourcetype="abc" "s1 event received" and "s2 event received" and "s3 event received") OR (index=2 sourcetype="xyz" "created") | rex "(?<e_type>s.) event received for (?<customer>\d+)" | rex "(?<created>created) for (?<customer>\d+)" | stats max(eval(if(e_type="s3",_time, null()))) as last_e_type max(eval(if(created="created", _time, null()))) as created_time dc(e_type) as e_types values(created) as created by customer | addinfo | where e_types=3 AND (created_time-last_e_type > 300 OR (isnull(created_time) AND info_max_time - last_e_type > 300)

The AND operator works within a single event.  To combine multiple events you need to use an aggregating command.  Assuming the customer number has been extracted into a field called "customer" then this will trigger an alert if any customer does not have all three events. <<some search for S1, S2, and S3>> | stats count by customer | where count < 3  

Try including the _time as well in your search  Either using timechart or by _time bucket  index=_internal source=*license_usage.log* type=Usage idx=*| eval GB=b/1024/1024/1024 |timchart span=1d sum(gb) by st   or index=_internal source=*license_usage.log* type=Usage idx=*| eval GB=b/1024/1024/1024 |bin _time span=1d | stats sum(GB) by _time,st

I am not sure why you are not adapting my previous suggestion - try something like this | stats count(eval(like(message, "%READ-ERROR -&gt; DP is temporarily down%"))) as read_error_count count(Code) as count_by_id |eval read_error_count = if(read_error_count &gt; count_by_id/2 ,mvappend(read_error_count,"RED"), read_error_count)  

| stats count(eval(like(message, %READ-ERROR -&gt; DP is temporarily down%))) as read_error_count |stats count(Code) as count_by_id |eval color_value = if(read_error_count &gt; count/2 ,0,1) i want color read_error_count column by color_value result thanks @ITWhisperer 

Correct, the question is not identical, but the essence of the question is, that is, how to colour cells based on the value in another cell on the same row, in your case you want the read_error_count colour based on the value of the count_by_id. To do this, as I said earlier, and is shown in more detail in the referenced solution, you use mvappend to add a second value to the read_error_coiunt field based on the value of the count_by_id field | eval read_error_count=if(count_by_id > 10, mvappend(read_error_count,"RED"), read_error_count) Then use CSS to hide the second multi-value cell and set the palette to change the colour if "RED" is a value You can use other strings and colours to your requirements.