Hey woodcock thanks for your anwser.

So i created a query based off some of the info you gave me and came out with :

index=doccloud_main sourcetype=doccloud_catalina "Document workspace" | stats count by Category,subCategory | sort - count | head 5

But when I click on the statistics tab, it displays " no results found".

Can you please help

I thought you had already created the field extractions but I guess not; you need to add this (examples above are corrected):

... rex  ".*Category:(?<Category>\d+), subCategory:(?<subCategory>\d+)"

I have added in more info into the query and tried to execute:

index=doccloud_main sourcetype=doccloud_catalina "Document workspace" | rex  ".*Category:(?<Category>\d+), subCategory:(?<subCategory>\d+)" | top limit=5 subCategory by Category

and still got the same result as before

Do you get any results from any of the searches? What you are describing makes no sense at all (this is a very basic thing)! Try stripping off everything after each pipe ("|") starting from the right side and see if what you see each time makes sense and find out where things break down.

index=doccloud_main sourcetype=doccloud_catalina "Document workspace" | rex  ".*Category:(?<Category>\d+), subCategory:(?<subCategory>\d+)"

I tried all of the above after the regex and nothing works past the regex and i'm not sure why. Pretty much the above code is the only thing that executes correctly.

Are you sure there are events in your time range and base search? Try it for "All time" and also try it for index=doccloud_main (without the sourcetype=doccloud_catalina "Document workspace"). There is something fundamentally wrong about the basics of what you are saying.

I apologize for my wording. All the above queries execute and display events, its just that when you click on the statistics or visualization tabs nothing is displayed. I also tried removing the source type and the following string, and I get the same results - events are displaying but not statistics.