Thanks for your replies. I will give this a try today and let you know how it turns out! ... View more

I am not able to test my search so you may have to mess around with the where statement. But, if I'm understanding the question correctly all you want to do is display the events in a table together? index=mfa OR index=windows | stats list(_raw) AS events BY logger user address IP hostsrc | where logger==user AND IP==address | table user IP hostsrc That's what I quickly threw together and came up with. Not sure if it does what you need, but after some tweaking I think it'd give you unique values tabled despite the index. ... View more

No worries, the problem was with my communication not your understanding! Let me try to explain in a more digestible way. I have a search that checks for specific commands. IE: I want it to return all information where value = 1, 2, 3 The search specifically looks for values that are 1, 2, or 3, and when it finds those values, they also contain the msg field which can contain x, y, or z. The problem is, if I were to code: | where value==1 AND msg==x OR msg==y I'm excluding a large portion of the potential returned results of the search because now I'm only checking for value=1 and msg=x, y.  So for the search: index=* sourcetype=* (value=1 OR value=2 OR value=3) AND (msg=x OR msg=y OR msg=z) I want my drilldown to show me specifics for each value, essentially, but not to exclude from the original search the potential for different values to be returned with their respective msg. So, I need the search to dynamically understand that ONLY IF value=1, should it exclude msg=x, y. But, if value=2 the search should still return msg where msg ANY of x, y, z. Programmatically it'd look like: if(value==1): exclude(x, y) else: include(x, y, z) Still not sure if that makes sense and I understand it's hard to conceptualize without the actual search, so I appreciate the help. ... View more

Hey thanks for the reply. It's been a long day and I'm not sure I explained the question correctly. That being said, your solution will definitely work for this case. I will test as I think it might work in my case too.  The problem is that the ID field is dependent on not being excluded in some cases. For instance: index=* sourcetype=* (msg=x OR msg=y OR msg=z) (value=1 OR value=2 OR value=3) | list(_raw) AS events BY ID value msg When value=1, it's okay to exclude msg=y or msg=z, but when value !=1, I still want those values to be included because I might get events where msg=y and value=2. Does that make sense? I essentially want something like: | where msg!=x AND value==1 Can you use logic in the where command like that - I don't know but will try it.   ... View more