There are very, Very, VERY good reasons that your admin has wisely taken away Real-Time, including: 1: Any real-time anything locks 1 core on EVERY Indexer and Your Search-Head. This does not scale. 2: You don't need it. If you cannot react to the alert in ~1s, a short-window regular search is just as effective. 3: There is pipeline latency in getting events into Splunk and a real-time search may search for your event before it has even arrived on the indexer and make for many false-negatives. Despite what all of the marketing and training says, SPLUNK IS *NOT* A REAL-TIME PRODUCT! ... View more

@omarka - Assuming your columns are values of Status , then you are looking for the chart command. Replace the final stats with... | chart count(TransactionId) by Service, Status More detail on how to use it here - http://docs.splunk.com/Documentation/Splunk/7.1.1/SearchReference/Chart ... View more