Hi @mukeshchandak, you could use the append command to put the three searches in one and collect the results in one, but there's the problem that you have different fields. You could also schedule three different searches and save results in a summary to quicly have results. But in my opinion, the best solution is to save results of one simple search in a Summary, then running the searches with timechart in three different panels. In other words, I'd schedule this search, e.g. every 5 minutes: index=abc source="*/d/e/f.log" artifact_id=g*h*i* host!=“jkl*” cloud=mno consumer_id=* response_code=* | table _time response_time response_code | collect index=my_summary then I'd run the three searches in different dashboard panels: query1: index=my_summary | timechart span=1s count query2: index=my_summary | timechart span=5m eval(count()) as "Response Code" by response_code query3: index=my_summary | timechart span=5m avg(response_time) as "Avg Response Time" p99(response_time) as "99 Percentile" p95(response_time) as "95 Percentile" Ciao. Giuseppe ... View more

Hi @mukeshchandak, for a summary index it's easier to use three searches not one! anyway, if you want one search you have to modify the three searches giving to each one common fields, e.g. timestamp, value and response code, something like this (I don't know if is exactly what you want, but see my approach: index=abc source="*/d/e/f.log" artifact_id=g*h*i* host!=“jkl*” cloud=mno consumer_id=* response_code=* | bin span=1m _time | stats avg(response_time) as "Avg Response Time" max(response_time) as "Max Response Time" p99(response_time) as "99 Percentile" p95(response_time) as "95 Percentile" BY _time | append [ search index=abc source="*/d/e/f.log" artifact_id=g*h*i* host!=“jkl*” cloud=mno consumer_id=* response_code=* | bin span=1m _time | stats earliest(_time) AS _time count(response_code) As "Count Response Time" by response_code ] | append [ search index=abc source="*/d/e/f.log" artifact_id=g*h*i* host!=“jkl*” cloud=mno consumer_id=* response_code=* | stats earliest(_time) AS _time avg(response_time) as "Avg Response Time" max(response_time) as "Max Response Time" p99(response_time) as "99 Percentile" p95(response_time) as "95 Percentile" ] Ciao. Giuseppe ... View more

I recommend you start here. One thing to note: indexes are not knowledge objects. Access to indexes is configured in role settings. And then there are app permissions as well that may limit what you can and cannot do.  Maybe I am misunderstanding the issue you are having completely.  ... View more