The values and list functions display results in lexicographic order and destroy any potential relationship among the fields.  One solution is use mvzip to combine fields, group the results, then unzip the fields. index=okta or index=network | iplocation (src_ip) | eval tuple = mvzip(src_ip, mvzip(deviceName, mvzip(City, Country))) | stats values(tuple) by user, index | eval fields = split(tuple, ",") | eval src_ip = mvindex(fields, 0), deviceName=mvindex(fields,1), City=mvindex(fields, 2), Country=mvindex(fields,3) A better approach might be to perform the iplocation command after stats. index=okta or index=network | stats values(src_ip) as src_ip by user, index | mvexpand src_ip | iplocation (src_ip)   ... View more

Use the rex command to extract the usage value then test the value to see if the alert should be triggered.  I find it more reliable to put the threshold in the alert rather than in the metadata.   index=”main” source=”C:\\Admin\StorageLogs\storage_usage.log” | rex "usage (?<usage>[^%]+)% used" | where usage > 75   ... View more

The REGEX attribute must contain a capturing group, even if it's not used.  Also, no need to reference _raw. [DropFirewallEvents] REGEX= ("category":\s"AZFWDnsQuery") DEST_KEY=queue FORMAT=nullQueue   ... View more

You're very close.  Use \d (digit) in place of \w (word).  Also, remove the '=' since there is no such character in the data. | rex "in (?<in>\d+)"   ... View more

Archived data must be restored before it can be searched. ... View more

The field extractor and erex commands tend to create overly complicated expressions.  This one should work. | rex field=message "percent: (?<gts_percent>\d+)"   ... View more