I changed the search to: eventtype=forcepoint_messages bundleId=* WEB sender=* | rex "WEB\-\d*\s(?<Action>\w*\s\w*\s\w*)\." | rex "src_label\=\'(?<src_label>\S*)\'" | eval FileName=name, JobName=Name, userName=userName | fillnull value=" " | eval Time = strftime(_time, "%Y-%m-%d:%H:%M:%S") | stats count AS Count BY Time userName JobName FileName Action bundleId | eval bundleID=bundleId | appendpipe [ stats sum(Count) AS Count BY bundleId | eval userName=""] | sort - bundleId | fields - Count bundleId   And got this which will work for now. As for coloring, I'm attempting to do that based on the field "bundleId" but that has really been an issue, and it's so easy to achieve that in the Classic XML.  Thank you for the assistance! V/R Steve ... View more

Yes, I like your answer better than mine. Thank you for the quick response ... View more