Thanks This better with "where" ... View more

OK, I think i get it. This works | eval myTime=strptime(strftime(strptime(myTime,"%Y-%m-%d %H:%M:%S") ,"%Y-%m-%d 08:%M:%S") ,"%Y-%m-%d %H:%M:%S") but maybe there is a better way ... View more

@ITWhisperer  It works perfectly !! Thanks a lot ... View more

HI @ITWhisperer  Thanks for answering. I tried this just to see if it works but it doesn't work | eval label="USR URI" | stats count as avgNb avg(DUR) as avgDuration by $label$ => No results return whereas this works | stats count as avgNb avg(DUR) as avgDuration by USR URI   Something wrong in my eval instruction ? Thanks ... View more

Hi @ITWhisperer  Thanks for this perfect  solution !! ... View more

Hi  @ITWhisperer Sorry for this new request but maybe you could help me. I'd like to differenciate the empty rows (no log in index) and the rows excluded from the lookup Example : Considering the search period 18/03/2022 00:00:00 => 18/03/2022 01:00:00 In my lookup, the range 18/03/2022 00:00:00<=>18/03/2022 00:10:00 is excluded And there is no log in my source for the period 18/03/2022 00:25:00<=>18/03/2022 01:00:00  I tried this   my_index [|inputlookup my_lookup.csv | eval start=strptime(Debut,"%Y-%m-%d %H:%M:%S") | eval end=strptime(Fin,"%Y-%m-%d %H:%M:%S") | sort 0 end | addinfo | where end > info_min_time AND start < info_max_time | append [| makeresults | fields - _time | addinfo | rename info_max_time as start | fields start] | streamstats values(end) as earliest window=1 current=f | eval latest=if(isnull(end), if(earliest > start, null(), start), start) | eval earliest=if(isnull(earliest), if(start < info_min_time, null(), info_min_time), earliest) | where isnotnull(earliest) AND isnotnull(latest) | appendpipe [ stats count | where count=0 | addinfo | rename info_min_time as earliest | rename info_max_time as latest] | fields earliest latest] | timechart span=5m values(URI) as URI sum(NB) as nb avg(DUR) as DUR | fillnull value=NO_LOG   And here is the result. Problem : I don't want the 2 first rows to be identified as NO_LOG I tried to identify the "NO_LOG" rows before the lookup exclusion like this   my_index | timechart span=5m values(URI) as URI sum(NB) as nb avg(DUR) as DUR | fillnull value=NO_LOG [|inputlookup my_lookup.csv | eval start=strptime(Debut,"%Y-%m-%d %H:%M:%S") | eval end=strptime(Fin,"%Y-%m-%d %H:%M:%S") | sort 0 end | addinfo | where end > info_min_time AND start < info_max_time | append [| makeresults | fields - _time | addinfo | rename info_max_time as start | fields start] | streamstats values(end) as earliest window=1 current=f | eval latest=if(isnull(end), if(earliest > start, null(), start), start) | eval earliest=if(isnull(earliest), if(start < info_min_time, null(), info_min_time), earliest) | where isnotnull(earliest) AND isnotnull(latest) | appendpipe [ stats count | where count=0 | addinfo | rename info_min_time as earliest | rename info_max_time as latest] | fields earliest latest]   but I got an error : Error in 'fillnull' command: Invalid argument: 'earliest=1647558000.000' I hope it's clear   Thanks in advance ... View more

It's perfect !!! Thanks a lot ... View more

Hi @ITWhisperer  Thanks again for the solution. However, I've seen a little issue when the period selected is not overlapped with a range of my lookup. Ex. Considering my lookup : 2020-12-05 12:00:00, 2020-12-05 18:00:00 2021-01-24 08:00:00, 2021-01-24 18:00:00 2021-02-10 19:00:00, 2021-02-10 21:00:00 If I make a search on 2021-01-29 (for example), no results returned. Any idea ? Thanks ... View more

Oups sorry, I've just changed this | eval start=strptime(Debut,"%Y-%m-%d %H:%M:%S") | eval end=strptime(Fin,"%Y-%m-%d %H:%M:%S") and it works perfectly What a job !! Thanks a lot ... View more

No, there are not overlapping time periods And you're  right, I want all events that are not in the differents range of my lookup. So, how can I adapt my request ?   Thanks ... View more

Hi @ITWhisperer  Thanks for answering but unfortunately it doesn't work No results returned ... View more

Thanks @gcusello  It works perfectly ... View more

Hi @ITWhisperer  It works perfectly Thanks a lot ... View more

Hi @ITWhisperer  Thanks for reply. However, I try this but it doesn't work <form> <init> <set token="colorGreen">0x00AA00</set> </init> ... ... ... <row> <panel> <chart> <option name="charting.fieldColors">{"SUCCES": $colorGreen$, "ERR. FONC.": 0x0000AA, "ERR. TECH.": 0xDD0000}</option> ... ... My SUCCES bar still appears in Black instrad of green. If I replace the token by his value (0x00AA00), it's OK Is my <init> block in good location ? Thanks   ... View more