I remove the 'by'. But everytime I run the search, sending in real time data, it will print alarmcount and index2.

OH!

Ha, I see now. You have the field contents - the actual word 'alarmcount' and 'index2' in there! Sorry, that sort of ... I must have just looked right over it. 😞

Hmmm.....

Can you try

index="alarm" sourcetype="DATAcombined" |streamstats avg(alarmcount) as average stdev(alarmcount) as standarddev |eval threeSigmaLimit = (average  + (standarddev  * 3)) | where 'alarmcount' > 'threeSigmaLimit' | table _time alarmcount index2 threeSigmaLimit average standarddev

Specifically, I've added single-quotes around the two variables in the where, changed the name of stdev and avg to non-keywords, and added extra fields to the display.

What I want to see is if a) the problem goes away (because of the quotes now) and if it doesn't, what are the values of average and standarddev when it is wrong?

If it goes away, I expect it's the quotes - try changing one thing at a time back and see if we can narrow down just what the problem is.

Hi Rich. I have replied you as a comment below. I've have not really found the reason why the alarm count and index is showing? but I realized that the StandardDev and Average is changing for the same index everytime I refresh the table. It's supposed to be static. I suspect that it might be due to the streamstats command. From my knowledge, the streamstats command should only change the 'LATEST' field value right?

And I realized that, whenever I start a new search, it uses the previous average,3sigmalimit and standarddev VALUE as the initial value and that's when the 'ALARMCOUNT and INDEX2' appears.

Is there a way to prevent this? The initial value of average should only start counting from the 2nd index. and for Standard Deviation, the initial value should only start after the 3rd index.