I think this fixed the issues (multiple issues): Seems to be working now. index=iap source="/var/log/pronghorn/A10Service.log" "ERROR :: A10Service ::" | rex field=@message mode=sed "s/(\[\"|\"\])//g" | eval tmp = split('@message'," :: ") , check7 = mvindex(tmp,7), check6 = mvindex(tmp,6), check5 = mvindex(tmp,5), check4 = mvindex(tmp,4), check3 = mvindex(tmp,3) | eval target=case(match(check7, "\w+\-\w+\-\w+\-\w+\-\w+"),7 , match(check6,"\w+\-\w+\-\w+\-\w+\-\w+"), 6 ,match(check5,"\w+\-\w+\-\w+\-\w+\-\w+"), 5) | eval function=case(target == 7, check5, target == 6, check4, target == 5, check3) | timechart span=1d count by function limit=0 ... View more