In a similar vein, I am stuck on getting values returned as intended. I am trying to get riskscore values for assets that have an exception applied, but only the exception values of risk. Something like this, but I am unclear how to differentiate the risk: index=rapid7 | transaction asset_id | makemv nexpose_tags delim=";" | stats sum(riskscore) as totalrisk, values(review_comment), values(submitted_by) by nexpose_tags | eval totalrisk=round(totalrisk) | sort -totalrisk Perhaps some version of your query above would fit into this query to show the asset group and its risk that is being excluded in Nexpose? ... View more