I am working on one Bug. In TAV dashboard Graphs are not visible in the CFF IT/Business KPIs. After my initial analysis I found that data came from "get_cff_trends" macros, and this macros is not returning any values. So, I starts validating the "get_cff_trends" macros  code.

 

 

| mstats latest(avg.alert_*) as latest.alert_* avg(avg.alert_*) as avg.alert_* sum(sum.alert_*) as sum.alert_* WHERE source="iobserve_v5" AND index="em_metrics" AND ( service="TA:CFF:Business:Sweden" AND kpi="ServiceHealthScore" ) OR ( service="TA:CFF:Business🇸🇪Orders Created" AND kpi="Orders count - Total" ) OR ( service="TA:CFF:Business🇸🇪Work Orders Fulfilled" AND kpi="Orders fulfilled in last 1 hr" ) OR ( service="TA:CFF:Business🇸🇪Work Orders Delivered" AND kpi="Orders Delivered*" ) OR ( service="TA:CFF:Business🇸🇪Work Orders Released" AND kpi="Released Orders - Nr Orders In Latest Release" ) earliest="1718179949.136" latest="1718179949.136" span="10m" BY kpi service

| eval alert_value='avg.alert_value', alert_level=round('avg.alert_level',0)

| eval value = if(kpi like "%Order%" , 'sum.alert_value', alert_value)

| stats avg(value) as avgValue by _time service,kpi

| eval avgValue=round(avgValue,0), minValue=round(minValue,2), maxValue=round(maxValue,2), dday=strftime('_time',"%Y-%m-%d")

| eval avgValue = if( isnull(mvfind(_time, all_times)), 0, mvindex(avgValue,mvfind(_time, all_times)))

| fillnull value="N/A"

| stats list(avgValue) as avgValue values(all_times) as _time by service kpi

| eval avgValue=mvjoin(avgValue,",")

| eval unit=case(like(lower(kpi),"%percent%"),"%", like(lower(kpi),"%conversion%"),"%", like(lower(kpi),"%syncronisation%"),"%", like(lower(kpi),"%availability%"),"%", like(lower(kpi),"%order%"),"#", like(kpiid,"SHKPI%"),"%", like(lower(kpi),"%lead time%"),"days", like(lower(kpi),"%size%"),"#", like(lower(kpi),"%price%"),"#", like(lower(kpi),"%cff%"),"%", like(lower(kpi),"%sample%"),"#", like(lower(kpi),"%calls%"),"#", like(lower(kpi),"%transactions%"),"#", like(lower(kpi),"%sessions%"),"#", like(lower(kpi),"%error%"),"#", like(lower(kpi),"%checkouts%"),"#", like(lower(kpi),"%response time%"),"ms", like(lower(service),"%data quality%"),"%", true(),"%")

| eval display_name=case(kpi like "ServiceHealthScore", "Fulfillment Flow Health", kpi like "Orders count - Total%", "Orders created", kpi like "Orders Delivered*%", "Orders delivered*", kpi like "Orders fulfilled in last 1 hr%", "Orders fulfilled*", kpi like "Released Orders - Nr Orders In Latest Release", "Orders released", true(),kpi)

| appendcols

    [| inputlookup slack_incidents.csv]

      

In this query we found ,when we are using "_time" in our query its not returnning value and if we remove "_time" than query returns value upto 9th lines but If we run whole query without "_time" its not returned any value. also if we run query with "_time"  than also it not return values.

Can you please help me to resolve this issue.