Jeff,

Thanks again. What I found unusual is that I don't actually need to. Here is my search string:

index="main" RealName="ConsolOpen" | timechart span=30m avg(Elapsed _ms)

so it seems that the parentheses suffice for delimiting the field name with a space.

I do find it frustrating that there is no warning or error when I enter something wrong (like Elasped_ms). It should really signal something -I think,

Stan

You don't always need to, but sometimes you have to. The function avg of timechart takes a single argument, so it is obvious that there is only one "string" in the parenthesis. A command like table on the other hand can take more than one argument, and they do not need to be separated by commas (i.e. | table RealName OtherName is totally legit, althoug you might want to use | table RealName, OtherName to make it obvious). Therefore, you are required to explicitly surround the arguments with double quotes in these situations (try it: | table RealName Elapsed _ms should give you a table with three colums, two of them empty).
I can understand that you might be frustrated by always having to be precise, but you'll learn to understand the signs (such as a table with empty colums, or a search that returns no results).

Jeff,

Many thanks for that. Just the pointer I needed. The syntax is new to me and I was looking for enclosing quotes etc. Also, the parser seems to fail silently if I put in an illegal name. My column name was 'Elapsed _ms' (with a space) and I was entering 'Elapsed_ms' - so nothing was appearing.

That book is a great reference.

Thanks again,

Stan

You're welcome. By the way, if you're looking to enclose your search term, use double quotes (useful when they include a space).