Hi @gcusello , You put me on the right track!  I modified what you provided to calculate the average: | eventstats count AS total by date_hour | eval day=strftime(_time,"%m/%d/%Y") | stats dc(day) AS days count BY date_hour | eval average=round(count/days,2) | sort by date_hour | rename count as SumOfEvents, days as NumOfEvents   I used the syntax below separately to calculate the number of days in my selected date range.  So for the month of August, TotalDays will have a value of 31. | eventstats dc(date_mday) as daysNmonth | timechart sum(daysNmonth) | stats count(_time) as TotalDays   I'm having trouble incorporating TotalDays with the first block of syntax to calculate:   cumulative=round(SumOfEvents/TotalDays,2) ... View more

Ciao @gcusello ,   I've played around with the commands a bit, but still not getting the desired results.  I may not have explained well in my initial post, but I'm trying to get event counts and averages for a specific time range.  For example, if I have the following in my data:   date 01 12 17 08-01-2022 1     08-02-2022 1   2 08-03-2022   1 7 08-04-2022 1       I'd like to calculate the averages as follows:   standard avg = Σ events/# of events cumulative avg = Σ events/# of days   date_hour Σ events # events # days standard avg  cumulative avg 01 3 3 6 1 0.50 12 1 1 6 1 0.16667 17 9 2 6 4.5 1.5   The calculations would be executed separately so I can plot one line chart with Σ events vs standard avg and another with Σ events vs. cumulative avg.   The table for standard average would look like this:  date_hour Σ events # events standard avg  01 3 3 1 12 1 1 1 17 9 2 4.5   Thanks for the help!  ... View more

Oh... ok @niketnilay. I must have entered something wrong the first time, because no results were returning and it worked when I added the limit. I tried all three solutions today with success. Thanks again! ... View more

Hi @niketnilay. I knew top command was ideal, but I missed adding the by area portion in some attempts, and tried it in conjunction with stats count in others. The grouping portion of my question was just an alternative option for displaying the information, if anyone had ideas. There was a small typo in the solution you provided, but the following displayed exactly what I needed: … |top limit=10 type by area Thanks for the help! ... View more

@jkat54 and @woodcock this is my first real attempt a crowdsourcing and I like it! You guys have been awesome! ... View more

That worked too! ... View more

@jkat54, thanks for the suggestion. I decided to accept the answer with the higher EPS. Adding each eval to the rest of my search against 10 months of logs in Verbose mode: |eval type=case(match(title...) returned 14,190 EPS and |eval type=if(match(title...) returned 13,408 EPS ... View more

Once I capitalized summary and detail it worked. Now I know how to account for upper and lower too. Thanks for the help! ... View more

I changed * to .* in the eval and it worked! Thanks so much! ... View more

Thanks for responding so quickly! This is creating the TYPE field, but it's only returning the value "unknown type". Could this have something to do with special characters in the titles? ... View more

Thanks for the quick response! I tried this with * and with .* for wildcards, but I get the following error: Error in 'eval' command: The arguments to the 'searchmatch' function are invalid. ... View more