You'll have to make sure your data is CIM compliant. The root search for the datamodel is: (`cim_Network_Traffic_indexes`) tag=network tag=communicate You can build a search to vet the data that the datamodel is processing using the root search and showing the fields in tabular format: (`cim_Network_Traffic_indexes`) tag=network tag=communicate | table _time action app bytes bytes_in bytes_out dest dest_ip src src_ip Note that there's a lot more CIM fields, but since you're asking about bytes I'll focus on that. I'm assuming you have data that is tagged correctly, and that you have null values for bytes, bytes_in and bytes_out - if that's the case you have to make sure those fields exist in the source data, and that those values are all number values and not text values. All of the bytes value fields in the datamodel are calculated: The bytes calculation is case(isnum(bytes),bytes,isnum(bytes_in) AND isnum(bytes_out),bytes_in+bytes_out,1=1,null()) The bytes_in calculation is case(isnum(bytes_in),bytes_in,isnum(bytes) AND isnum(bytes_out),bytes-bytes_out,1=1,null()) The bytes_out calculation is case(isnum(bytes_out),bytes_out,isnum(bytes) AND isnum(bytes_in),bytes-bytes_in,1=1,null()) If your source data does not have the proper combination of bytes, bytes_in, and/or bytes_out or those values are not numeric values then you will wind up with null values for the bytes field values in your datamodel. If you have values that are non-numeric then you'll have to do some normalization work on your source data to convert them to numeric fields. ... View more