The filter on your search should be only including the events you want - if you have other events, you need to tighten the filter to exclude the unwanted events. Can you share an example of the events which are being included which should not be based on your filter?

The above rex will give all the APIS.   For example we have another API  /API/*/workbooks.Now with the query you provided it would give the values of this API also.I dont want that. I just need values of  /API/*/Books,./API/*/collections,/API/*/Notes only.

Correct, but it clearer now; thank you. Try it this way | rex mode=sed field=URI "s/(?<root>\/\w+\/)[^\/]+(?<api>.*)/\1*\2/g" | eval responseTime="response time" | chart avg(duration) as avg_time by responseTime URI You can set the x-axis Title to "None"  

Try this <input type="multiselect" token="Account_Label_Azure"> <label>Account Label Azure</label> <choice value="*">ALL</choice> <initialValue>*</initialValue> <default>*</default> <fieldForLabel>Account_Label_Azure</fieldForLabel> <fieldForValue>Account_Label_Azure</fieldForValue> <search> <query>index=report Account_Label_Azure=*</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> </input> <input type="multiselect" token="Account_Label_VMware"> <label>Account Label VMware</label> <choice value="*">ALL</choice> <initialValue>*</initialValue> <default>*</default> <fieldForLabel>Account_Label_VMware</fieldForLabel> <fieldForValue>Account_Label_VMware</fieldForValue> <search> <query>index=report Account_Label_VMware=*</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> Having said that, you have these as multiselects which won't work very well in your search if more than one value is selected.

Hello Each filter have default value "*" this is an example for the source of 2 filters : <input type="multiselect" token="Account_Label_Azure"> <label>Account Label Azure</label> <choice value="*">ALL</choice> <default>*</default> <fieldForLabel>Account_Label_Azure</fieldForLabel> <fieldForValue>Account_Label_Azure</fieldForValue> <search> <query>index=report Account_Label_Azure=*</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> </input> <input type="multiselect" token="Account_Label_VMware"> <label>Account Label VMware</label> <choice value="*">ALL</choice> <default>*</default> <fieldForLabel>Account_Label_VMware</fieldForLabel> <fieldForValue>Account_Label_VMware</fieldForValue> <search> <query>index=report Account_Label_VMware=*</query> <earliest>-24h@h</earliest> <latest>now</latest> </search>   and this is the source of the table  <table> <search> <query>index="report" Category__Severities_of_Patches="$host1$" OR Category__Categories_of_Patches="$host2$" OR Category__Sources_of_Patches="$host3$" OR exposure_level=$host_exposure_level$ OR Computer_Name="$computer_name$" OR Account_Label_Azure="$Account_Label_Azure$" OR Account_Label_VMware="$Account_Label_VMware$" OR BigFix_Groups="$BigFix_Groups$" OR Category__Sources_of_Patches="$Category__Sources_of_Patches$" OR Custom_Attributes="$Custom_Attributes$" OR Custom_Site_Names="$Custom_Site_Names$" OR IP_Address="$IP_Address$" OR Operating_System="$Operating_System$" OR OS="$OS$" OR Pending_Restart="$Pending_Restart$" OR Power_State_VMware="$Power_State_VMware$" OR Provider_Name="$Provider_Name$" OR Relay="$Relay$" OR State_Azure="$State_Azure$" OR VM_Region="$VM_Region$" OR Tags_Azure___cost_environment=$Tags_Azure___cost_environment$ OR Tags_Azure___cost_servicegroup=$Tags_Azure___cost_servicegroup$ OR Tags_Azure___cost_team=$Tags_Azure___cost_team$ OR Custom_Attributes=$Custom_Attributes$ | table Computer_ID Computer_Name Account_Label_VMware Account_Label_Azure Provider_Name OS Relay VMware_Tags Tags_Azure Custom_Site_Names Pending_Restart Custom_Attributes Last_Report_Time Last_Updated Free_Space_on_System_Drive_(GB) Power_State_VMware State_Azure BigFix_Groups Category__Names_of_Patches Category__Severities_of_Patches Category__Categories_of_Patches Category__Sources_of_Patches Category__CVEs_of_Patches Category__Release_Dates_of_Patches</query> <earliest>$field1.earliest$</earliest> <latest>$field1.latest$</latest> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </table> </panel> </row>

Hi @_pravin, please debug your search deleting all the raws until raw before the eval command: what's the value of the Module field? have you empty values or not? Please, share your search also in text format. Ciao. Giuseppe

Here is a runanywhere example using random durations showing the average of the APIs - how is this different to what you have asked for | makeresults count=10 | eval _raw="/api/cvraman/book /api/apj/book /api/nehru/book /api/cvraman/collections /api/apj/collections /api/indira/collections /api/rahul/notes /api/rajiv/notes /api/modi/notes" | multikv noheader=t | eval duration=random()%10 | rename _raw as URI ``` The lines above create dummy data ``` | rex mode=sed field=URI "s/(?<root>\/\w+\/)[^\/]+(?<api>.*)/\1*\2/g" | stats avg(duration) as avg_time by URI

Thank you for the response. But this gives me all the API's average response time.   If i just need the resposnse of the api which mich only /api/*/Book ,/api/*/collections/,/api/*/notes then what would be the rex statement

Not this way what i need is  suppose /api/cvraman/book - took 1msec for response /api/apj/book-took 2msec for response /api/nehru/book-took  3 msec for response /api/cvraman/collections -took 1msec for response /api/apj/collections-took 3msec for response /api/indira/collections-took 5msec for response /api/rahul/notes-took 1msec for response /api/rajiv/notes-took 4msec for response /api/modi/notes-took 6msec for response   Now in the chart i should have only three API, /api/*/book -calculate the average of /api/cvraman/book ,/api/apj/book,/api/nehru/book /api/*/collections -same average of collections API /api/*/notes-same average of notes API

Hi @gcusello ,   Even I feel that the eval command doesn't always match and so the SPL is not working. I tried the isnull(), len()>0, and even reversing the condition to look for empty cells, but neither of them worked.   Thanks, Pravin