@Nisha18789 This has done exactly what I want, thank you! I wonder if you could help me with one other query? It is in the same index and sourcetype, I've now been asked if I can show the same information for each server group. The search I have is: index="automox" sourcetype="automox:devices" server_group="*" | dedup name | stats count by pending, server_group | eventstats sum(count) as perc | eval perc=round(count*100/perc,2) | search pending=false | table pending, count, perc, server_group However this just gives a percentage based on the amount of machines within each server group, which is not what I was looking for. What I want is like below: pending count perc server_group FALSE 9 8.11 Linux Servers FALSE 1 0.9 Linux Workstations FALSE 4 3.6 MacOS Workstations FALSE 30 27.03 Windows Server Full FALSE 4 3.6 Windows Workstations But the percentage is based on the total amount of machines, rather than how many exist within the server group. As an example, if I run your search you provided with the extra bit, server_group="Windows Workstations", then the percentages it gives me are: column row 1 %patch_pend 90.48 %patched 9.52 And this is what I would expect. The reason I am trying to do this, is so that on a dashboard I can show a trellis view of each server group and the percentage of unpatched(or patched) machines. I hope that makes sense and sorry for the wall of text!
... View more