Hi @Devi13, please try this: index=abc host IN () | eval col=_time."|".response_time | stats max(response_time) AS "Maximum Response Time" values(col) AS col BY URL | mvexpand col | rex field=col "^(?<_time>[^\|]+)\|(?<response_time>[.+)" | where "Maximum Response Time"=response_time | table URL "Maximum Response Time" _time | sort - "Maximum Response Time" Maybe it's also possible using eval in the stats command. Ciao. Giuseppe

Hello @gcusello , Thank you for your response. I am looking for something like below,   URL Maximum Response Time Time at which the maximum response got hit 1 abc.com 22.346 2024-04-24 00:00:25   so at 2024-04-24 00:00:25 this time, the url abc.com got the maximum response time I need to append the time which corresponds to the maximum response time of the url

Hi @Devi13, what do you mean with "respective time"? if you're meaning time info about the search (es. min_time, max_time, search execution_time, etc...) you could add "| addinfo" at the end of your search and choose the info you want. for more infos see at https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Addinfo Ciao. Giuseppe

i @Roy_9 , you shared too few information to help you: Which kind of scripts are you speaching ? which OS are you using? Have you a lustered or stand alone SH ? Why do you want to execute these scripts on SH? Ciao. Giuseppe

Hi @renjith_nair. Thank you but  it's not something i am looking for. I have a column chart to visualize the status of requests to a website. Each time the dashboard is refreshed, the number of status displayed changes and the color of the columns may change. How can I configure a fixed color for each status value?  

@ITWhisperer  , i considered 1,0 and and put condition like this. But still i am not able to set the token. Is this implementation correct? <done> <condition match="match(has_runtime,&quot;1&quot;)"> <set token="tok_runtime">true</set> </condition> <condition match="match(has_runtime,&quot;0&quot;)"> <unset token="tok_runtime"></unset> </condition> </done>  

Hi @GaryZ, As far as I understand, this is not possible with dashboard studio so the best solution would be to have both charts there, but only one displaying depending on the token. However, you can do it with Classic Dashboards (i.e. simple XML dashboards). Here's an example:   <form version="1.1" theme="light"> <label>Splunk answers</label> <fieldset submitButton="false"> <input type="dropdown" token="chart" searchWhenChanged="true"> <label>Chart Style</label> <choice value="line">Line Chart</choice> <choice value="column">Bar Chart</choice> <default>line</default> <initialValue>line</initialValue> </input> </fieldset> <row> <panel> <title>Chart</title> <chart> <search> <query>| gentimes start=-20 | eval sample=random()%100 | eval _time = starttime | timechart span=1d max(sample) as value</query> <earliest>-20d@d</earliest> <latest>now</latest> <sampleRatio>1</sampleRatio> </search> <option name="charting.chart">$chart$</option> <option name="charting.drilldown">none</option> <option name="refresh.display">progressbar</option> </chart> </panel> </row> </form>   The trick here is to create a token with the value of the chart you'd like to show ("line" or "column") and then use that token in the XML:   <option name="charting.chart">$chart$</option>     This might get annoying to develop though, as you can't edit the chart while this value is set. You can always change it while editing and then change it back when you're done.      

Quite literally | makeresults | fields - _time | eval min = 0.442 | eval max = 0.507 | eval mean = 0.4835625 | eval stdev = 0.014440074377630105 | eval count = 128 | eval pi = 3.141592653589793238462 | eval min = printf("%.3f", mean - 3.0 *stdev)```; # use sprintf as a rounding function``` | eval max = printf("%.3f", mean + 3.0 * stdev) | eval x=min | eval interval = (max - min)/(count - 1) | eval c=mvrange(0, count, 1) | foreach c mode=multivalue [ | eval y= (1.0/(stdev * sqrt(2.0 * pi))) * exp(-0.5*(pow(((x - mean) / stdev), 2))), myFIELD=mvappend(myFIELD, printf("%.3d", y)), x = x + interval ] | fields - c