Hi Thank you for the reply, but this also did not work. In fact, it did not produce any events or results after running.

The HWM (High Water Mark) is a Max Value over a time period. I would like the HWM to accommodate values older (-1y) than the selected time range for the normal call counts (time picker=-30d).

Does this make sense? In other words, I don't want the HWM to change values and find a new HWM once the 30 day period rolls beyond the previous high value. If the Max value was say 6 months ago.. I would like to see a timechart for the last 30 days while still showing the true HWM value recorded 6 months ago.

Hmm, ok. I ran this same search against a simple _internal data set and did return results. Not sure what is different with your data? Did you run it over 30 days like you wanted? Can you run either the outer search or subsearch on their own?

For HWM, I understand the concept. But a max value of what over which period? It seems like you're just comparing counts of events (calls) essentially. But your timechart over 30 days will be counts per day. The subsearch in your original post is counting events over an entire year. The comparison doesn't make sense. I understand if your hwm mark intended to represent the count during the day in the past year that had the most calls, but I can't figure out if that's what you're actually asking....but that's what I was trying to answer.

I'm not sure how I am not conveying my thoughts to you here. You're correct in thinking of what I want. But what about the "comparison" are you missing? Not trying to be rude, I understand this is text. But I'm not trying to compare anything. I would like to display a line chart for the last 30 days of call totals, while displaying the HWM (of daily call totals) over the last year. NOT just the last 30 days as previously configured. If that is considered a comparison, then that is what I'm after. It is querying count of events in both aspects. yes.

Below is the output of the chart as it was configured originally. My goal is to have the HWM line display the max value for count of calls for the year while only still displaying the 30 day rolling period for the daily total counts. So when the HWM in this instance on June 14th of 1304 calls passes on July 15th.. the HWM will be a different value. I don't want this.

Ok, I think we're on the same page. This is the subsearch above that was throwing me off, because it just gets a total count of events over the past year.

[search index=ast sourcetype=poc_agi_logs agi_dnid=* grp=* earliest=-1y latest=-1d
      |stats count as "HWM" 
      |eventstats allnum=true max("HWM") AS "High Water Mark"]

That said, I thought the search in my answer was doing what you wanted. I don't know why it's not returning any results. Does the subsearch return what looks to be a correct hwm at least? I think that should get a counts for every day over the past year and the grab the max value.

Ok - so i tried your query again, and typing it in manually got it going. Must have cut something out before. 🙂

So this does run but is not returning the correct results. In an effort to make this run faster I changed this to search 30 days worth of events for the HWM while keeping the main search at last 7 days.

Ok, looks like we're getting closer, maybe? If you run the subsearch on its own, without the call to stats (so just the timechart), do those counts look right? And if so, does adding the stats max command back in work correctly? I feel like I'm missing something silly here...

Thank you - but I don't think that is it. This produced a very slow search and throughout that time, the HWM remained at zero. I changed the search for a much shorter time period and it was still slower than anything. I ultimately canceled it.

Functions as expected.