Hi @asplunk789, Adding a table command makes searches run on the search head. That is why it is slow. Base searches should be more specific. Returning all raw data to panels is not the best practice. Please use stats or timechart command on your base search as a preparation for your panels.    ... View more

Thanks I didn't know that. Thought you'd have to transform it to get a result but I've checked it and you are absolutely correct! I will adjust my answer accordingly. ... View more

Is it possible the same way for 100's of servers (different servers like app servers, db servers etc..) comparison. ... View more

Traffic distribution should be equally distributed for each server and if any difference, we can trigger an alert for specific servers not in equal distribution. ... View more

Here is one way of implementing it (assuming that ProcessingTimeMS is the field that represents response time). This example generates and analyze the last 30 minutes of sample day.  Summarizes the last 10 minutes with min, avg, and max response time and populates each event for later filtering. You can adjust the filter based on how strict you want it, for example  Every response time within last 10 minutes > 3 last_10m_min_secs>3 If you want to use average response time:  last_10m_avg_secs>3 The reason to expand the search to say 30 minutes is to provide some historical data for reference. Having additional data will make a standalone alert more meaningful/useful. Of course, this creates some overhead which you need to consider.       | makeresults | eval start=now()-1800, end=now() | eval range=MVAPPEND(start, end) | mvexpand range | eval _time=range | fields _time | makecontinuous _time span=30s | sort 0 -_time | eval ProcessingTimeMS=(random() % 20000) + 1000 | eval time_secs=ProcessingTimeMS/1000 | bucket _time span=1m | stats avg(time_secs) AS avg_secs max(time_secs) AS max_secs min(time_secs) AS min_secs BY _time | eval stats_name=strftime(_time, "%Y-%m-%d %H:%M:%S") | appendpipe [| where _time>relative_time(now(), "-10m@m") | rename avg_secs AS time_secs | stats avg(time_secs) AS avg_secs max(time_secs) AS max_secs min(time_secs) AS min_secs | foreach * [| eval <<FIELD>>=ROUND(<<FIELD>>) | eval last_10m_<<FIELD>>=<<FIELD>>] | eval stats_name="_Last 10 Min Stats_"] | eventstats max(last_10m_min_secs) AS last_10m_min_secs max(last_10m_max_secs) AS last_10m_max_secs max(last_10m_avg_secs) AS last_10m_avg_secs | sort 0 - stats_name | foreach *secs [| eval <<FIELD>>=ROUND(<<FIELD>>)] | eval stats_type="RESPONSE TIME" | table stats_name stats_type avg_secs min_secs max_secs last_10m* | where last_10m_avg_secs>3 | fields - last_*       ... View more

hi @asplunk789 try with split("-") ... View more

Hi Nike, The above solution works good. But I have will have to have two drop downs inside the panel "Search Based on Lookup". as Name and Subname and the corresponding query has to be executed. This is because the Name has many subnames under it. Could you kindly help me with it. ... View more