@kamlesh_vaghela I figured out the date to render in abbreviated form: index=breaches email=* breach_site=* | rex field="breach_date" "^(?<year>[^-]+)-(?<month>[^-]+)-(?<day>.+)"| eval mon=case(month="01","Jan",month="02","Feb",month="03","Mar", month="04","Apr",month="05","May",month="06","Jun",month="07","Jul", month="08","Aug",month="09","Sep",month="10","Oct",month="11","Nov", month="12","Dec") | chart count by year mon useother=false I just need to tally the amount of "email" as part of overall "breach_site". The current output only shows all emails part of "breach_site" while I need to include "email" as part of "breach_site". Ideally, you can should be able to determine per month how many company emails were part of all emails in a breach. As I mentioned above the below only shows all emails with no breakdown to include company emails.
... View more