Hi, Ok I did not realize you had other fields in addition to 07-10 as well. Now, try this query as it is, since audit index ships by default it should work for you, choose last 7 days as time range to see how this query behaves with last 1 week data. If thus query works all you need to dois replace 'action' by your custom field 'EXCEPTION_TYPE' index="_audit" | eval period=if(strftime(_time,"%d")==strftime(now(),"%d"),"today",strftime(_time,"%m-%d")) | eval period1=case(period !="today",period)| chart count by action,period | eval yesterday = strftime(relative_time(now(), "-1d@d"),"%m-%d")| appendcols [search index="_audit" | eval period=if(strftime(_time,"%d")==strftime(now(),"%d"),"today",strftime(_time,"%m-%d")) |eval yesterday = strftime(relative_time(now(), "-1d@d"),"%m-%d")| eval period1=case(period !="today",period)|eventstats max(period1) as maxp by action |where maxp=period|chart count(action) as yest_count,values(maxp) as maxp by action]|eval yest_count=if(maxp=yesterday,yest_count,0)| eval total=today-yest_count | fields - maxp, - yest_count ... View more

Hello, Am facing similar kind of issue where i need to sort the time column with the latest time. Will sorting works with column header time value using chart command? ... View more