I have the following criteria from a single event that appears like: Time Event 11/4/22 4:10:28.000 AM { [-] Total: 6656 srv110: 1002 srv111: 1105 srv112: 1007 srv113: 995 srv114: 1269 srv115: 1278 } <My Query>| timechart span=1m values(srv*) will return the values as so: _time values(srv110) values(srv111) values(srv112) values(srv113) values(srv114) values(srv115) 11/4/2022 4:04 1003 1105 1007 996 1268 1278   But I need to return all of them as so even if any one of those values falls under 800 but also greater than -1.   I attempted to transpose and search from there but I'm failing somewhere.   Any help or nudge in the right direction would be greatly appreciated.  Thank you!   ... View more

Hello, I have several things that come in via different platforms : Android (watch, phone, tablet), iOS (Watch, Phone, Tablet), and Web . For counting purposes I just need to know the platform (for now). I was wondering if there was any way possible to group my counts by my replaces . index =blah source=blah earliest=-16m@m latest=-1m@m | stats count(eval(Status=0 OR Status=1)) as Now by Platform | replace android* with Android, *Web* with Web, ip* with iOS | table Platform, Now As of now my results look like: Platform Now android 96 android 1 android 1306 iOS 3000 iOS 45 iOS 2 Web 1286 Web 956 What I would like: Platform Now Android 1403 iOS 3047 Web 2242 Thanks in advance for any help. ... View more