Hi @hoangtony  Can you please share how you are dynamically able to set the border using node fill color using the color field when generating search results ? If possible, it would be great if you could also share the SPL as well. thanks. ... View more

Thanks for the pointer.  I did look at this app previously but it's not using SimpleXML and the dashboard I'm working on is a production dashboard that I'm making changes to.  Unfortunately I wouldn't be able to use the JSON format this app is using for the moment. ... View more

You seem on the right track with setting Process= to determine origin, although I would set the case statement as  | eval process=case( match(_raw,"Success Message"),"ProcessA", match(_raw,"Generation completed"),"ProcessB", isnull(source),"Lookup", 1=1,"Other") If you put this before the stats command, then do the | stats ... by host process BTW, the | fields host will remove everything other than _* and host, so would need to handle allowing process through. Also, not sure that _raw is still valid after the stats, so that won't work.  I don't know if that will get you to where you want to   ... View more