@yuanliu  Or you can use the _ field prefix to hide it from the foreach, i.e. | addtotals fieldname=_T | delta "_T" as _delta | foreach * [eval <<FIELD>> = if(-'_delta' > '_T' OR '_T' < 5000, null(), '<<FIELD>>')] ``` To show that the _ fields are present ``` | eval y=_T, x=_delta

@smanojkumar  It looks like you have a custom dashboard. So you can apply CSS by adding it to the HTML tag. Sample Code:   Here I'm changing the background. <dashboard version="1.1"> <label>Demo</label> <row> <panel> <html depends="$alwaysHideCSSStyle$"> <style> .dashboard-body { background: #1E93C6 !important; } .dashboard-header h2{ color: #ffffff !important; } </style> </html> </panel> </row> </dashboard>   To identify the element you can Use your Browser Inspector tool. Check this link for instructions. https://community.splunk.com/t5/Dashboards-Visualizations/How-do-I-update-panel-color-in-Splunk-using-CSS/m-p/364590/highlight/true#M23796   For further help on CSS, share sample code so we can replicate in our instance.   I hope this will help you. Thanks KV If any of my replies help you to solve the problem Or gain knowledge, an upvote would be appreciated.

@splunknoob_rip  Can you please try this? require([ 'jquery', "underscore", 'splunkjs/mvc', "splunkjs/mvc/searchmanager", "splunkjs/mvc/simplexml/ready!" ], function ($, _, mvc, SearchManager) { var submittedTokens = mvc.Components.get('submitted'); console.log("Hiee 1"); // var defaultTokens = mvc.Components.get("default"); var mysearch = new SearchManager({ id: "mysearch", autostart: "false", search: '| makeresults | eval test = "$capturedValue$" | collect index = "test_index"', preview: false, }, { tokens: true, tokenNamespace: "submitted" }); $("#btn-submit").on("click", function () { // Capture value of the Text Area var captured = $("textarea#outcome").val(); tokens.set("capturedValue", captured); submittedTokens.set(tokens.toJSON()); mysearch.startSearch(); }); });   I hope this will help you. Thanks KV If any of my replies help you to solve the problem Or gain knowledge, an upvote would be appreciated.

Hi @AMAN0113, on HF the upgrade made by GUI doesn't require restart, other wise you have to restart the forwarder. During restart you don't loss any data, because logs are written by Linux in files that are read by the forwarder when it restarts, you'll only have a delay in indexing. Obviously scripts aren't executed during restart, but they will executed at the next scheduled time. Let us know if we can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated by all the contributors

Excellent, thanks for the diagnosis!  So, the ASCII order in * enumeration ruined the conditions.  In my emulations, source series begin with a slash (/) that precedes T, but sourcetype series all begin with a lower-case letter that succeeds T.  This explains why the two groupby's behave differently. But I still need to null out Total.  So, a better (and yet simpler) approach is to place "Total" at the end of enumeration taking advantage of Splunk's globber rule:   | addtotals | delta "Total" as delta | foreach * Total delta [eval <<FIELD>> = if(-delta > Total OR Total < 5000, null(), '<<FIELD>>')] | fields - delta   Update: In real world, it is often undesirable to use arbitrary thresholds like Total < 5000.  For this technique to work, I also need to make sure all other fields are nulled before delta.  So, I must expressly specify the order of these two fields in foreach. Update 2: In addition to wanting to nullify Total, I also need to remove delta.  So, my best approach would be a hybrid of hacking field name and ensuring order: | addtotals | delta "Total" as _delta | foreach * Total [eval <<FIELD>> = if(-_delta > Total OR Total < 5000, null(), '<<FIELD>>')] This way, field deletion is also unnecessary.  Thanks again, @bowesmana for the inspiration!

Updated Query : Time difference is coming as "12/31/23 19:00:30:295 " index=web* "Message sent to Kafka" OR "Response received from Kafka" | stats earlies(_time) as Msg_received, latest(_time) as Response_Kafka by Unique_ID | eval difference=Response_Kafka-Msg_received | eval difference=strftime(difference,"%d-%m-%Y %H:%M:%S") | eval Msg_received=strftime(Msg_received,"%d-%m-%Y %H:%M:%S") | eval Response_Kafka=strftime(Response_Kafka,"%d-%m-%Y %H:%M:%S")