Here are the answers to your questions.... 1. It is the input file for the apps, all_env_component.csv 2. Yes it works correctly. data.componentId downtime Ycomp 322.186934 Zcomp 300.23822 Xcomp 645.415504 3. The fields are, data.environment.application data.environment.environment data.environment.stack data.componentId 4. This is an availability dashboard. The initial problemwas aby data.componentId that had 0 downtime would not show in the results, NULL. This was fixed by adding an input file but then it was showing all the data.componentId and downtime. The desired result is to just display only the data.componentId and downtime for the single data.environment.application choosen in the drop down. Below is the original query that would not display anything with 100% uptime. index=MINE data.environment.application="app2" data.environment.environment="uat" | eval estack="AW" | fillnull value="uat" estack data.environment.stack | where 'data.environment.stack'=estack | streamstats window=1 current=False global=False values(data.result) AS nextResult BY data.componentId | eval failureStart=if((nextResult="FAILURE" AND 'data.result'="SUCCESS"), "True", "False"), failureEnd=if((nextResult="SUCCESS" AND 'data.result'="FAILURE"), "True", "False") | transaction data.componentId, data.environment.application, data.environment.stack startswith="failureStart=True" endswith="failureEnd=True" maxpause=15m | stats sum(duration) as downtime by data.componentId | addinfo | eval uptime=(info_max_time - info_min_time)-downtime, avail=(uptime/(info_max_time - info_min_time))*100, downMins=round(downtime/60, 0) | rename data.componentId AS Component, avail AS Availability | table Component, Availability
... View more