Hi @ibanez450, the easiest way is to use the stats command instead chart: source="hp printing" "printing" | stats eval(print_jobs) AS count by host | eval print_jobs = count/2 If the duplicated events have the same timestamp you could also use dedup before charting: source="hp printing" "printing" | dedup host _time | chart eval(print_jobs) AS print_jobs by host One final hint: use always index in your main search: your searches will be faster. Ciao. Giuseppe ... View more

Hi @aditsss, you have to put the search for the condition out of the panel, so if you have results you display the panel , otherwise you display the html box. If you have more searches put all of them in the top of the dashboard creating a base search for each of them, eventually (if possible) grouping some of them. Ciao. Giuseppe ... View more

Hi @aditsss, I did it for the first panel, but you can follow my approach also for the others: <search id="my_search"> <query> index="abc" sourcetype="xyz" $type$ TotalLicenses!=0 | lookup Org_Alias.csv OrgFolderName OUTPUT OrgName as OrgName | search $OrgName$ | fields OrgFolderName LicenseName SalesforceOrgId TotalLicenses UnusedLicensesUsedLicenses </query> <earliest>$field1.earliest$</earliest> <latest>$field1.latest$</latest> <progress> <condition match="'job.resultCount' == 0"> <set token="show_html">foob</set> </condition> <condition> <unset token="show_html"></unset> </condition> </progress> </search> <row> <panel> <chart rejects="$show_html$"> <title>Overall Salesforce User Licenses</title> <search base="my_search"> <query> | lookup Org_Alias.csv OrgFolderName OUTPUT OrgName as OrgName | search $OrgName$ | dedup OrgFolderName, LicenseName, SalesforceOrgId |chart sum(TotalLicenses) as "Total Licenses" sum(UnusedLicenses) as "Unused Licenses" sum(UsedLicenses) as "Used Licenses" by LicenseName </query> <earliest>$field1.earliest$</earliest> <latest>$field1.latest$</latest> </search> <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option> <option name="charting.axisLabelsX.majorLabelStyle.rotation">-45</option> <option name="charting.axisTitleX.visibility">visible</option> <option name="charting.axisTitleY.text">Count</option> <option name="charting.axisTitleY.visibility">visible</option> <option name="charting.axisTitleY2.visibility">visible</option> <option name="charting.axisX.scale">linear</option> <option name="charting.axisY.maximumNumber">999999</option> <option name="charting.axisY.minimumNumber">0</option> <option name="charting.axisY.scale">log</option> <option name="charting.axisY2.enabled">0</option> <option name="charting.axisY2.scale">inherit</option> <option name="charting.chart">column</option> <option name="charting.chart.bubbleMaximumSize">50</option> <option name="charting.chart.bubbleMinimumSize">10</option> <option name="charting.chart.bubbleSizeBy">area</option> <option name="charting.chart.nullValueMode">gaps</option> <option name="charting.chart.showDataLabels">all</option> <option name="charting.chart.sliceCollapsingThreshold">0.01</option> <option name="charting.chart.stackMode">default</option> <option name="charting.chart.style">shiny</option> <option name="charting.drilldown">all</option> <option name="charting.layout.splitSeries">0</option> <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option> <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option> <option name="charting.legend.placement">top</option> <option name="height">400</option> <option name="refresh.display">progressbar</option> </chart> <html depends="$show_html$"> <p style="color:red;margin-left:30px;font-size:24px">No data:</p> <br/> <p style="color:blue;margin-left:30px;font-size:24px">in search results</p> </html> </panel> </row> Anyway, see in the Splunk Dashboard Examples App how to do this. Ciao. Giuseppe ... View more

Hi @arusoft, You can view the content of a lookup: in every app, if it's shared a Global level, in its own app, if it's shared at App level. No other ways. If you can access the lookup in the app, you could export the content in your pc and upload it in your own version of the lookup, but ot's only manual. Ciao. Giuseppe ... View more

Hi @arusoft, you have to give to your Lookup and Lookup Definition (remember of it otherwise it doesn't run!) a Global sharing and you'll see it in all your apps. Ciao. Giuseppe ... View more

Hi @termcap, as @ITWhisperer said, t he dates are in chronological order, but probably in the second search they are displayed in the order of your ingestion csv file. You can check this analyzing your csv file, probably the order that you see in you second search is the same of the csv file. If you want to order them, you can sort them. If instead you use the current timestamp, obviously they will be in index order, but if you index using current time as timestamp and you display _time and timestamp, probably you'll have the _time column ordered by time and the timestamp column in the sare order of now. Ciao. Giuseppe ... View more

Hi @arusoft, what do you mean with lookup from another index? lookups aren't related to index! if you're speaking of a lookup of another app, you have only to define the app and the app definition as global. could you better describe your question? Ciao. Giuseppe ... View more

Hi @ekenne06, good for you, see next time! Ciao and happy splunking. Giuseppe P.S.: Karma Points are appreciated 😉 ... View more

Hi @PickleRick, these are ingest time lookups, not indexes, they are different! Anyway, consider my hint about indexes. Ciao. Giuseppe ... View more