Hi @ivan123357 , I'd try something like this: index=custom (evt_id=1 OR evt_id=2) earliest=-5m latest=-7m | stats last(evt_id) AS evt_id earliest(_time) AS earliest latest(_time) AS latest BY user_id | where evt_id=1 OR (latest-earliest>300) Ciao. Giuseppe

ne in the future, this is the final query I went with. I was trying to group any event in a certain index and sourcetype.  index=test sourcetype=test2 source=* | rex field=test_city "(?<city>[A-Za-z]+)_$" | eval has_true_port = case( port_123="True" OR port_139="True" OR port_21="True" OR port_22="True" OR port_25="True" OR port_3389="True" OR port_443="True" OR port_445="True" OR port_53="True" OR port_554="True" OR port_80="True", "Yes", true(), "No" ) | where has_true_port = "Yes" | stats values(port_123) as port_123, values(port_139) as port_139, values(port_21) as port_21, values(port_22) as port_22, values(port_25) as port_25, values(port_3389) as port_3389, values(port_443) as port_443, values(port_445) as port_445, values(port_53) as port_53, values(port_554) as port_554, values(port_80) as port_80 values(city) as City by destination, test_src_ip | eval open_ports = if(port_123="True", "123,", "") . if(port_139="True", "139,", "") . if(port_21="True", "21,", "") . if(port_22="True", "22,", "") . if(port_25="True", "25,", "") . if(port_3389="True", "3389,", "") . if(port_443="True", "443,", "") . if(port_445="True", "445,", "") . if(port_53="True", "53,", "") . if(port_554="True", "554,", "") . if(port_80="True", "80,", "") | eval open_ports = rtrim(open_ports, ",") | table destination, test_src_ip City open_ports The result looks a bit like this:   Basically, this combines each open port into one row while also sorting by destination ip and source IP  

Also, I did look at the metrics.log and it shows the connections from the server sending the logs, but nothing still in the index. Below is an example of the connection (I have x'd out the IP) 10-25-2023 16:22:34.165 +0000 INFO Metrics - group=tcpin_connections, x.x.x.x:31311:6514, connectionType=rawSSL, sourcePort=31311, sourceHost=x.x.x.x, sourceIp=x.x.x.x, destPort=6514, kb=0.000, _tcp_Bps=0.000, _tcp_KBps=0.000, _tcp_avg_thruput=0.000, _tcp_Kprocessed=0.000, _tcp_eps=0.000, _process_time_ms=0, evt_misc_kBps=0.000, evt_raw_kBps=0.000, evt_fields_kBps=0.000, evt_fn_kBps=0.000, evt_fv_kBps=0.000, evt_fn_str_kBps=0.000, evt_fn_meta_dyn_kBps=0.000, evt_fn_meta_predef_kBps=0.000, evt_fn_meta_str_kBps=0.000, evt_fv_num_kBps=0.000, evt_fv_str_kBps=0.000, evt_fv_predef_kBps=0.000, evt_fv_offlen_kBps=0.000, evt_fv_fp_kBps=0.000

What do you get from just doing the index search? index="dynatrace" [| makeresults | eval earliest=relative_time(now(),"$tr_14AGuxUA.earliest$"), latest=relative_time(now(),"$tr_14AGuxUA.latest$") | table earliest latest] Also, what do the events look like, particularly the userActions object? You may need to further "expand" the userActions{} object.

Tabling works, but that's not enough if you need to carry along hidden values for Drilldowns. Tokens "kind of" work with the <fields> tag, but they don't seem to update when the token changes. Classic Splunk W.

Hi @PickleRick , Thank you so much i got the query what i was expecting. But i have some changes here can you help me on that Standby Column i don't have any individual searches  like url and cleared_log i just need standby count as Toatal _Messages  - Errro_count  should be displyed on the table. Rest all will be the same. |tstats count as Total_Messages where index=app-logs TERM(Request) TERM(received) TERM(from) TERM(all) TERM(applications)  

This might be irrelevant, but you appear to have 9 decimal places in your timestamp not 6 (%6N),, and your timezone variable looks like it should be "%:z" not just "%z", and your sample json is not valid (although this could just be a copy/paste/anonymisation artefact). Also, are you sure 1000 is enough of a lookahead?

Wow finally got this to work.  I'm not sure why but I had to refresh and it started working.  All the other numbers populated.  Thank you so much for your help!!!!  Here is a screen shot that could help someone else with the final code that was successful.