Unfortunately, you cannot do multiple aggregators in the pivot ui. You could use the pivot command. ie. | pivot datamodel object sum(foo) AS "foo" sum(bar) AS "bar" SPLITROW _time AS _time PERIOD auto Obviously this kind of defeats the purpose of using pivot outside of the acceleration benefits but hopefully they will iterate over the interface and make it more useful. ... View more

lguinn, have you tried that? i tried adding _time to a root search and then the data model would not load in pivot. ... View more

This doesn't seem to be what root search was designed to do. Could you give an example of why you need to create a root search and have the _time field? ... View more

So you could try replacing the wel-col-kv with something like: REGEX=(?m)^([^=\n]+)\s*=\s*([^\n]+) FORMAT = $1::$2 MV_ADD = true If you really wanted you could set the source_key to message if you don't want to create fields above "Message" ... View more