Hi VanyBerg, As you didn't mention any time field, I have taken _time as reference I used _internal index, you can try this and modify the query per your requirement. index=_internal | eval time_hour=strftime(_time, "%H") | eval time_hour=case(time_hour <9,"1",time_hour <17,"2", time_hour <24, "3") | stats count(_raw) as count by time_hour | appendcols [ search index=_internal | stats count as Total_count ] | eval Average_value=count/Total_count You need to add src to stats if you need to get stats by src Hope it helps. ... View more

Personally I would reformat the CSV like this: domain, ignore *trendmicro.com,true In the lookup configuration, create a lookup definition and ensure wildcard matching is enabled (its not by default!) then you can do: "whatever your search providing a field called domain"|lookup ignored_domains domain OUTPUT ignore|where ignore!="true" ... View more