Add a space between  the two timechart functions. E.g.  | timechart avg(event.Properties.duration) stdev(event.Properties.duration) Also, you can remove the  | iplocation  as we aren't using any of the fields that command adds for this visualization, so it will only slow down the search.

Hi @Dean.Marchetti  If your question is about dynamically starting appd, the closest match will be: https://docs.appdynamics.com/appd/24.x/latest/en/application-monitoring/install-app-server-agents/java-agent/install-the-java-agent#id-.InstalltheJavaAgentv24.3-AttachtheJavaAgenttoaRunningJVMProcess Not sure if this is what you looking for? regards, Terence

Hi @jaibalaraman, You can calculate the mean and standard deviation using the stats command: | stats avg(event.Properties.duration) as u stdev(event.Properties.duration) as s however, that won't produce a chart. At a glance, your data is not normally distributed. You can generate a simple histogram with the chart command: | chart count over event.Properties.duration span=31 If you have Splunk Machine Learning Toolkit installed, you can use the histogram macro and visualization: | `histogram("event.Properties.duration", 31)` Note that the histogram macro uses the bin command: bin "$var$" bins=$bins$ | stats count by "$var$" | makecontinuous "$var$" | fillnull count It won't necessarily honor your bin count. What type of graph or visualization would you like to create?

Hi @Moshe, Before Java 8, Oracle (and Sun prior to its acquisition) included a JDBC-ODBC bridge driver with Java for Windows. Java 7 support ended  in 2022, and Splunk DB Connect support for Java 7 ended many years ago. If no JDBC driver is available for your data source, you may be able to find a current JDBC-ODBC bridge solution from OpenText (formerly Micro Focus, which acquired Serena Software and Merant), CData, or another vendor. Those vendors may also sell a JDBC driver for your data source; however, not all JDBC drivers support the interfaces required by Splunk DB Connect. Which ODBC driver and/or database platform are you trying to query? A scripted input might be the easiest solution to your problem.

A problem I noticed is, the new token only gets a value when we change the origin token. That's to say, when we opened the dashboard, although the origin token has a default value, the new token is null, thus the queries don't work. We'll see "Search is waiting for input "

Hi @joelsz, Using Splunk 9.1.0 I set up 3 dashboards: dash_a, dash_b, dash_c When you click a button it loads the corresponding dashboard, and that's all.  I've added some starter CSS to pretty up the buttons: <form version="1.1" theme="light"> <label>Dash_C</label> <fieldset submitButton="false"> <input id="linkToOtherDash" type="link" token="link_dash"> <label>View other Dashboard:</label> <choice value="dash_a">Dashboard 1 ↗</choice> <choice value="dash_b">Dashboard 2 ↗</choice> <choice value="dash_c">Dashboard 3 ↗</choice> <change> <condition value="dash_a"> <link target="_blank">/app/search/dash_a</link> </condition> <condition value="dash_b"> <link target="_blank">/app/search/dash_b</link> </condition> <condition value="dash_c"> <link target="_blank">/app/search/dash_c</link> </condition> </change> </input> </fieldset> <row><panel depends="$CSS$"><html><style> .splunk-linklist{ width:fit-content!important; } .splunk-linklist button{ min-width: 120px; } .splunk-linklist button span{ -webkit-box-pack: left; justify-content: left; -webkit-box-align: left; align-items: left; } .splunk-linklist button{ background-color: #dddddd82; margin: 4px 2px 0px 0px; transition: 0.3s; } .splunk-linklist button:hover { background-color: #007abd!important; color: white!important; } </style></html></panel> </row> </form> Note that if you click a button, then go back to the original dashboard and click edit then cancel, it will load the second dashboard again. If you want to avoid that then update the links and remove target="_blank" .

This question is too vague - yes, some auto-scaling can be done under certain circumstances, but whether is is possible for your usecase is yet to be determined. Perhaps you could share some sample events, the searches you are using and your current dashboard designs. Also, include what you have tried so far, and a mock up of what you would like it to look like (if possible).

Since your sample data doesn't show more than one host or user for each ip address, guessing that list would be useful to get what you needed was beyond my knowledge. Perhaps you could provide a more representative example of the events you are dealing with next time so we might be able to suggest a suitable solution (hopefully avoiding memory issues if possible).

Hi @deepdive100., You can create the column name based on what the field "name" is set to using by: |makeresults |eval sample="100" |eval name=if(sample=100,"C",N/A) |timechart max(sample) by name This creates a table with columns: _time, C. If the values are less or more than 100, there'll be an additional column "N/A" If you have a dashboard and you want to pick which column is displayed, you could do something like: |makeresults |eval sample="100" |eval name=if(sample=100,"$DROPDOWN_TOKEN$",N/A) |timechart max(sample) by name And set up an input that sets the token $DROPDOWN_TOKEN$.  

Hi @PickleRick , sorry it was a typo erro Are you sure you wanted old value of get as old_put? --- sorry it was a typo error   Also, you can just do your condition as | where command to find only those matching results. Then you'd trigger alert only if you had any results at all.-- soory I used where condition but it's not working |Where getperct>50 |Where putperct>10 |Where deleteperct>80 I want to receive error even if any one condition match, but I am not getting Can u pls help