well this is my generated search.
sourcetype=cpu SCP1_CPU
| eventstats sum(SCP1_CPU) as sum_scp1
| eventstats sum(SCP2_CPU) as sum_scp2
| eventstats sum(SCP3_CPU) as sum_scp3
| eventstats sum(SCP4_CPU) as sum_scp4
| eval avg_scp_cpu = (sum_scp1 + sum_scp2 + sum_scp3 + sum_scp4) / 4 | aggregate_raw_into_service(avg, avg_scp_cpu) | assess_severity(1e9057dc-4f5d-4abf-a773-e85349dd8a84, 840141769da338d4b0e16cdd, true, true) | eval kpi="scp cpu util3", urgency="5", alert_period="5", serviceid="1e9057dc-4f5d-4abf-a773-e85349dd8a84" | assess_urgency

When I press ctrl+shift+e it doesnt do anything at all. Maybe its cause Im on a mac?

I ran that generated search and did a search for yesterday and indeed, the alert_value is 3174. But when I run it for last 5 mins, it shows the expected 11.
This makes me wonder if somehow during backfill with this query, it is summing up the complete days worth of values. Im going to test this.

If you're on a mac, its cmd + shift + e

As a side note, I noticed even though the backfilled data is in the 3000s, after a few mins, the data goes down to the 11-13 range that I expect.

Sort of good news. Even though I could not see the preview in Thresholding, I can apply it and see it reflected in the Deep Dive so I can at least use Thresholding.

Ah, using itsi_summary, I was able to find the alert_value and it is matching the values that I see in the Deep Dive results. This means the query is working but the preview I see in the Threshold preview is way off for some reason. The values for the alert_value are between 11-13 and the values in the Threshold preview are all 22265 for some reason and I have values for yesterday so I would expect them to be reflected here. Anything else in the itsi_summary you can think of that I could figure out why this is happening? (note: I have other kpis I created a week or so ago which are also using eventstats and eval functions that do show an accurate threshold preview map)
Could I just need to wait longer to see it in the itsi threshold preview map?

Also you asked if I used a transformation in my search. This was my search so I think yes: "sourcetype=cpu SCP1_CPU | stats sum(SCP1_CPU) as sum_scp1 sum(SCP2_CPU) as sum_scp2 sum(SCP3_CPU) as sum_scp3 sum(SCP4_CPU) as sum_scp4 | eval avg_scp_cpu = (sum_scp1 + sum_scp2 + sum_scp3 + sum_scp4) / 4"

So I think I am using transformations.

Correct, I have tons of base searches and adhoc searches that use eval and eventstats which backfills successfully. You should get rid of that reporting command stats and replace it with eventstats like this. Once you do this, your preview will be readable

sourcetype=cpu SCP1_CPU 
| eventstats sum(SCP1_CPU) as sum_scp1 sum(SCP2_CPU) as sum_scp2 sum(SCP3_CPU) as sum_scp3 sum(SCP4_CPU) as sum_scp4 
| eval avg_scp_cpu = (sum_scp1 + sum_scp2 + sum_scp3 + sum_scp4) / 4

Ugh I copied the wrong one here.
Here is the one I am using. I have one I am using and seeing the unusual behavior for:
sourcetype=cpu SCP1_CPU | eventstats sum(SCP1_CPU) as sum_scp1 sum(SCP2_CPU) as sum_scp2 sum(SCP3_CPU) as sum_scp3 sum(SCP4_CPU) as sum_scp4 | eval avg_scp_cpu = (sum_scp1 + sum_scp2 + sum_scp3 + sum_scp4) / 4

I tried to create one with stats hoping it would work but the one with stats didnt return anything at all.

Interesting. So you have queries that include eventstats and evals and it does backfill and allows for thresholding? Im very curious to know because this will allow me to remove "not a function of ITSI" from my reasons for why this isn't working.