Hello, I put them in context before showing the query. I have a splunk that I test on it to see the query results because I don't have access to the splunk that has the data. I have a query that shows me the result of these two hostnames, but I need this same result but on all hostnames, not just these two.   I have 2 queries. The first query gets me the results of the two teams, although I don't know if it does it because I have the data inserted (I can't find it by index) or it puts them because I use the makeresults (I read that it works in cache and the data doesn't have to be). |makeresults | eval EventCode="20", hostname="wdv01ssps,DESCASSOAW01", error_code="0x80070003 0x80004004"|makemv delim="," hostname | makemv delim=" " EventCode|makemv delim=" " error_code | mvexpand EventCode |mvexpand hostname |mvexpand error_code|table hostname EventCode error_code   I'd like to use the latter as it's easier for me to display results from hostname, in this case it's called ComputerName. How can I do to show all ComputerName with these same filters? index=sistemi sourcetype="wineventlog" TaskCategory="Windows Update Agent" AND EventCode IN (20, 27) | eval day_of_week = lower(strftime(_time, "%A")) | eval date_string = strftime(_time, "%Y-%m-%d") | eval Weekend=if(day_of_week="saturday" OR day_of_week="sunday",1,null()) | search Weekend=1 | stats count by Message EventCode ComputerName date_string | stats list(Message) by ComputerName date_string EventCode It may simply not be possible to list all the computer names without listing them one by one. Thanks. ... View more