Hi, i'm very close to solution, i've managed to see a timechart that shows the transfer_in_MB where the combined JNLs are above 900, and all i need to do is display it in a hourly interval and display each column count. (timechart span=1h count(transfer_in_MB) by JNL*), but it doesnt work with "*"
index=storage_18037 sourcetype=csvRotemA_JNL_SUMMARY NOT DATETIME host=RotemA (JOURNAL_ID="014" OR JOURNAL_ID="00A" OR JOURNAL_ID="000" OR JOURNAL_ID="01E")
| eval transfer_in_MB=M_JNL_ASYNC_XFER_RATE/1024,IDs="JNL".JOURNAL_ID | table _time IDs transfer_in_MB | dedup _time IDs | timechart span=1m avg(transfer_in_MB) by IDs | eval JNL000_00A=if(JNL000+JNL00A<900,0,JNL000+JNL00A),JNL000_014=if(JNL000+JNL014<900,0,JNL000+JNL014), JNL000_01E=if(JNL000+JNL01E<900,0,JNL000+JNL01E), JNL00A_014=if(JNL00A+JNL014<900,0,JNL00A+JNL014), JNL00A_01E=if(JNL00A+JNL01E<900,0,JNL00A+JNL01E), JNL014_01E=if(JNL014+JNL01E<900,0,JNL014+JNL01E) | where JNL000_00A > 900 OR JNL000_014 > 900 OR JNL000_01E > 900 OR JNL00A_014 > 900 OR JNL00A_01E > 900 OR JNL014_01E > 900 | fields _time,JNL000_00A,JNL000_014,JNL000_01E,JNL00A_014,JNL00A_01E,JNL014_01E
... View more