Hey Nidd, I have had a little play, please try the below search and see if it works for your use case. I've put the count in buckets of 5m chunks with the span argument. Feel free to change this to what ever works for you.   | timechart count span=5m | eval outlier=if(count>5000,1,0) | search outlier=1 ... View more

as long as the data structure doesn't change too much this should work.   | rex field=_raw ".*\[\s(?<category>.*)\s\]\s(?<type>\w*).*\|\s(?<data>\d*)" ... View more

Hi Karu, this should work by taking the raw data and only selecting the digits after the pipe character. The space after the pipe is ignored before the digits are placed into a new field named data. | rex field=_raw "\|\s(?<data>\d*)"   ... View more