topic How to build a logic to create a dashboard with out using the non-transform command. in Dashboards & Visualizations https://community.splunk.com/t5/Dashboards-Visualizations/How-to-build-a-logic-to-create-a-dashboard-with-out-using-the/m-p/518479#M34792 <P>Hi All, I have created a dashboard with four panels and used a base query and sub query. But in the base query&nbsp; i have used the non-transforming command.</P><P><U>Base query details</U></P><P>index=test sourcetype=x_service component=x_component |&nbsp; eval result=case(result="Passed","CompletePassed",result="Failed","CompletedFailed",isnotnull(result),result,isnull(result),null) | eventstats lastest(result) as result latest(status) as finalStatus earliest(_time) as Earliest latest(_time) as Latest by transId,component&nbsp; | eval Final_result=case(isnull(result) AND isnotnull(finalStatus),finalStatus,isnotnull(result),result,isnull(result) AND isnull(finalStatus),"MissingStatus") | fields&nbsp; _time, transId,component,result,Final_result,status,finalStatus,message,duration</P><P>In one of the panels I have used sub query to find the average duration to complete the transaction.</P><P><U>Average duration to complete the transaction&nbsp;</U></P><P>| timechart span=30m avg(duration)&nbsp;</P><P>Using the above base query and sub query, I am able to get the output but it seems it is not best practice to use the non-transforming commands in dashboards,&nbsp; so used stats command instead of event stats command in base search and got the output.</P><P>Similarly to calculate the average duration to complete the transaction created another base query for that panel and used&nbsp; the stats/timechart unable to get the output.&nbsp;</P><P>index=test sourcetype=x_service component=x_component | stats earliest (_time) as Earliest&nbsp; &nbsp;latest(_time) as Latest by correlationId | eval duration= Earliest-Latest | timechart span=30m avg(duration)&nbsp;&nbsp;</P><P>unable to get the output.&nbsp;</P><P>But when we use the eventstats commands I am&nbsp; getting the output.</P><P>index=test sourcetype=x_service component=x_component | eventstats earliest (_time) as Earliest&nbsp; &nbsp;latest(_time) as Latest by correlationId | eval duration= Earliest-Latest | timechart span=30m avg(duration)&nbsp;&nbsp;</P><P>Question is how to write the sub query using the base query.</P><P>Thanks in advance.&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 08 Sep 2020 15:57:29 GMT Hemnaath 2020-09-08T15:57:29Z How to build a logic to create a dashboard with out using the non-transform command. https://community.splunk.com/t5/Dashboards-Visualizations/How-to-build-a-logic-to-create-a-dashboard-with-out-using-the/m-p/518479#M34792 <P>Hi All, I have created a dashboard with four panels and used a base query and sub query. But in the base query&nbsp; i have used the non-transforming command.</P><P><U>Base query details</U></P><P>index=test sourcetype=x_service component=x_component |&nbsp; eval result=case(result="Passed","CompletePassed",result="Failed","CompletedFailed",isnotnull(result),result,isnull(result),null) | eventstats lastest(result) as result latest(status) as finalStatus earliest(_time) as Earliest latest(_time) as Latest by transId,component&nbsp; | eval Final_result=case(isnull(result) AND isnotnull(finalStatus),finalStatus,isnotnull(result),result,isnull(result) AND isnull(finalStatus),"MissingStatus") | fields&nbsp; _time, transId,component,result,Final_result,status,finalStatus,message,duration</P><P>In one of the panels I have used sub query to find the average duration to complete the transaction.</P><P><U>Average duration to complete the transaction&nbsp;</U></P><P>| timechart span=30m avg(duration)&nbsp;</P><P>Using the above base query and sub query, I am able to get the output but it seems it is not best practice to use the non-transforming commands in dashboards,&nbsp; so used stats command instead of event stats command in base search and got the output.</P><P>Similarly to calculate the average duration to complete the transaction created another base query for that panel and used&nbsp; the stats/timechart unable to get the output.&nbsp;</P><P>index=test sourcetype=x_service component=x_component | stats earliest (_time) as Earliest&nbsp; &nbsp;latest(_time) as Latest by correlationId | eval duration= Earliest-Latest | timechart span=30m avg(duration)&nbsp;&nbsp;</P><P>unable to get the output.&nbsp;</P><P>But when we use the eventstats commands I am&nbsp; getting the output.</P><P>index=test sourcetype=x_service component=x_component | eventstats earliest (_time) as Earliest&nbsp; &nbsp;latest(_time) as Latest by correlationId | eval duration= Earliest-Latest | timechart span=30m avg(duration)&nbsp;&nbsp;</P><P>Question is how to write the sub query using the base query.</P><P>Thanks in advance.&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 08 Sep 2020 15:57:29 GMT https://community.splunk.com/t5/Dashboards-Visualizations/How-to-build-a-logic-to-create-a-dashboard-with-out-using-the/m-p/518479#M34792 Hemnaath 2020-09-08T15:57:29Z Re: How to build a logic to create a dashboard with out using the non-transform command. https://community.splunk.com/t5/Dashboards-Visualizations/How-to-build-a-logic-to-create-a-dashboard-with-out-using-the/m-p/518513#M34794 Hi<BR />Add to the end of base query | fields * if you cannot use transforming commands. Usually this helps to use any fields on sub query. And remember the max amount of event when you are using non transforming query!<BR />R. Ismo Tue, 08 Sep 2020 18:56:09 GMT https://community.splunk.com/t5/Dashboards-Visualizations/How-to-build-a-logic-to-create-a-dashboard-with-out-using-the/m-p/518513#M34794 isoutamo 2020-09-08T18:56:09Z