Hi there, 1. Isolate the Top 3: Add a dedup issuetype command after the head 10 to keep only unique issuetypes. Then, use head 3 to grab the first 3. 2. Create Individual Tokens: Use the fields command to extract each issuetype into a distinct field: | fields issuetype1=issuetype issuetype2=issuetype issuetype3=issuetype 3. Assign Tokens: In the Token configuration, select "Use search result as token." Map issuetype1 to <span class="math-inline">tokenfirst</span>, issuetype2 to <span class="math-inline">tokensecond</span>, and issuetype3 to <span class="math-inline">tokenthird</span>. Here's the full search string: index=..... ("WARNING -" OR "ERROR -") | rex field=_raw "(?<issuetype>\w+\s-\s\w+)\:" | stats count by application, issuetype | sort by -count | head 10 | dedup issuetype | head 3 | fields issuetype1=issuetype issuetype2=issuetype issuetype3=issuetype Now you can use those tokens in your other panels to display events for the top 3 issuetypes! Remember: Adjust the index and other search terms to match your specific data. If you encounter any issues, consult Splunk documentation or community forums for guidance. ~ If the reply helps, a Karma upvote would be appreciated ... View more