Hi @rups260386, Since you're already counting hour by hour from earliest=@d then all you have to do is add this to the end of your search |streamstats sum(*) as * to make an incremental sum of the results. Your search should then look like this : index=mdp_ivc_cdrs sourcetype=prd_mdp_ivc_cdrs earliest=@d latest=now | bucket _time span=1h | timechart span=1h count(eval(like(INGRESS_TRUNKCONTEXT,"%amazon%"))) as "Outound Calls",count(eval(like(INGRESS_TRUNKCONTEXT,"%vodafone%"))) as "Inbound Calls",count(eval(like(INGRESS_TRUNKCONTEXT,"%amazon%") AND CDR_TYPE=2 AND ANSWERED_CALL=1)) as "Outbound Answered Calls",count(eval(like(INGRESS_TRUNKCONTEXT,"%vodafone%") AND CDR_TYPE=2 AND ANSWERED_CALL=1)) as "Inbound Answered Calls" |streamstats sum(*) as * Cheers, David ... View more

Hi rups260386, You can use props.conf and transforms.conf on your search head to get the key value pairs after tags, try something like this: props.conf [SourceTypeNameHere] REPORT-myUniqueClassName = myTransformToGetKVAfterTags transforms.conf [myTransformToGetKVAfterTags] REGEX = (?:tags\":\[)?(?:\[\"([^"]+)\",\"([^"]+)\"\][,\]])+? FORMAT = $1::$2 Tested on regex101.com and the captured groups look like this: Hope this helps ... cheers, MuS ... View more