Hi @CSULeigh You want to use stats to group by email. Give this a try... index=someindex
| eval qualdayOfWeek=strftime(_time, "%a")
| rex field=_raw "is\s(?<status>(NO|YES))\sto"
| eval {qualdayOfWeek}=case(
qualdayOfWeek="Sun", $status$
,qualdayOfWeek="Mon", $status$
,qualdayOfWeek="Tue", $status$
,qualdayOfWeek="Wed", $status$
,qualdayOfWeek="Thu", $status$
,qualdayOfWeek="Fri", $status$
,qualdayOfWeek="Sat", $status$
,true(), "-" )
| table email, Sun, Mon, Tue, Wed, Thu, Fri, Sat
| stats values(*) AS * BY email I've also shown how to use an eval "case" statement with a field name substitution i.e. {field} - not that it really matters and could use eval. You could also "rename" the colums to lowercase if you prefer (| rename Sun AS sun Mon AS mon Tue AS ...). Also note that you if you time period goes over multiple weeks that you may have more than one result per week day column. Hope this helps.
... View more