Hey All I have this search, and I want two results on my visualization. I want to see both "Method" and "User". What is missing here index=XXX sourcetype="XXX:XXX:message" data.logName="projects/*/logs/cloudaudit.googleapis.com%2Factivity" data.resource.labels.project_id IN (*) AND ( data.resource.type IN(*) (data.protoPayload.methodName IN ("*update*","*patch*","*insert*" ) AND data.protoPayload.authorizationInfo{}.permission IN ("*update*","*insert*")) OR (data.resource.type IN(*) (data.protoPayload.methodName IN ("*create*", "*insert*") AND data.protoPayload.authorizationInfo{}.permission="*create*")) OR (data.resource.labels.project_id IN (*) AND data.resource.type IN(*) data.protoPayload.methodName IN (*delete*))) | eval name1='data.protoPayload.authorizationInfo{}.resourceAttributes.name' | eval name2='data.protoPayload.authorizationInfo{}.resource' | eval Name=if(name1="-", name2,name1) |search Name!="-" | rename data.protoPayload.methodName as Method, data.resource.type as "Resource Type", data.protoPayload.authorizationInfo{}.permission as Permission, data.timestamp as Time, data.protoPayload.authenticationInfo.principalEmail as User, data.protoPayload.requestMetadata.callerIp as "Caller IP" | timechart count by Method ... View more