You could limit the events returned index=network key_word="*HWPORTMAN-*QUEUE" OR key_word="LINECARDMGMTPROTOCOL-*WARNING" | eval alert=case (key_word="*HWPORTMAN-*QUEUE" OR key_word="LINECARDMGMTPROTOCOL-*WARNING", "Alert1") | bin span=1d _time | stats count by alert, _time For multiple alert types, you would limit the search to all the possible alert conditions
... View more