Hi @nikitha15 - just ran into the exact same problem. Let me show you what I did just for max using a search that anyone can run on their own Splunk Enterprise or Splunk Cloud deployment. Main search is like so: index = _internal sourcetype IN (splunk_web_access, splunkd_access) | timechart span=h count by sourcetype Annotation search is like so: index = _internal sourcetype IN (splunk_web_access, splunkd_access) | timechart span=h count by sourcetype | eval total = splunk_web_access + splunkd_access | stats max(total) | rename max(total) as Max | map search="search index = _internal sourcetype IN (splunk_web_access, splunkd_access) | timechart span=h count by sourcetype | eval total = splunk_web_access + splunkd_access | search total=$Max$" | eval annotation_label = "Max interactions occurred at " + strftime(_time, "%H:%M:%S") + " - total of " + total + " interactions." | fields _time, annotation_label, total I used map to pull out just the timespan associated with the max number of events - someone better at SPL could probably find a better approach. Note that in SimpleXML dashboards you have to use $$ around the map replacement token instead of $ in the search bar. To show the whole dashboard: <dashboard> <label>Test for nikitha15</label> <row> <panel> <chart> <search> <query> index = _internal sourcetype IN (splunk_web_access, splunkd_access) | timechart count by sourcetype span=h </query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <search type="annotation"> <query> index = _internal sourcetype IN (splunk_web_access, splunkd_access) | timechart span=h count by sourcetype | eval total = splunk_web_access + splunkd_access | stats max(total) | rename max(total) as Max | map search="search index = _internal sourcetype IN (splunk_web_access, splunkd_access) | timechart span=h count by sourcetype | eval total = splunk_web_access + splunkd_access | search total=$$Max$$" | eval annotation_label = "Max interactions occurred at " + strftime(_time, "%H:%M:%S") + " - total of " + total + " interactions." | fields _time, annotation_label, total </query> <earliest>-24h@h</earliest> <latest>now</latest> </search> </chart> </panel> </row> </dashboard> Let me know if that's not quite answering your question.
... View more