No need to feel dumb, everyone goes through this and understands the missing parenthesis error message doesn't always mean the parenthesis are missing ... View more

Hi @selinakvle Try this | rex field=_raw "fname=(?P<filename>.+[\s])filePath.*fileHash=(?P<fileHash>.*)device" ... View more

Glad it worked for you! I guess I'd have to understand better how you want to see the timestamp again. Do you still want to see the table view like you posted, but just with another field for the count? If so, I think the eventstats command might be better. It does the same agg calculation as stats, but keeps all of the original events too. source="/var/log/auth.log" host="samplehost" sourcetype="authentication" user!=null |eventstats count by rhost | table _time rhost user count Or do you want to see a list of timestamps for each remote device? source="/var/log/auth.log" host="samplehost" sourcetype="authentication" user!=null |stats count list(_time) as timestamps by rhost Other than those two examples, not sure how else to add the timestamp back in over the aggregrate view. ... View more