@marycordova and @ITWhisperer  Thank you for your answers. Your solutions would work if my event contained a few fields. However, the data includes 20+ fields [Loc, FN, LN, Address, City, State, Zip, Phone, ID, etc.]; and will be increasing to over 100 fields. If we mvappend all of these fields, this would be extremely inefficient, as well as make sorting/searching on a specific field(s) very cumbersome. A colleague suggested using list instead of values: | stats list(FirstName), list(LastName) BY Loc. However, I don't believe Splunk would handle event data where a field was null or blank properly. It would not enter a blank line in the results table. Thanks again and God bless, Genesius ... View more

@Richfez  Thanks Rich. To bring up another Sesame Street song, 🎼 "Sunny days. Chasing the clouds away,....". So I don't want to spend too much time indoors this weekend.  😉 The dashboard panel code is from Syncsort's IronStream app for Splunk. We are tweaking copies of the CISC dashboard for specific OAPPLIDs, as well as other fields IronStream provides. OAPPLID is a text token, $regionFilter$, we are converting to a drop-down token, with the same name, to provide better reporting. Here is the original XML code for the IronStream panel. <panel> <title>Average Transaction Response Time (secs)</title> <chart> <search> <query>index=$index$ SYSNAME=DOL1 MFSOURCETYPE=SMF110 TRAN !="C*" OAPPLID=$regionFilter$|eval TransactionSpeed=(SUSPTIME_MICROSEC + USRCPUT_MICROSEC) | stats avg(TransactionSpeed) as avgTransactionSpeed|eval avgTransactionSpeedSec=round(avgTransactionSpeed/1000000,5) | gauge avgTransactionSpeedSec 0 .003 .006 .0065 .007 .0075 .008 .0085</query> <earliest>$gaugeStartTime$</earliest> <latest>$gaugeEndTime$</latest> <refresh>$autoRefresh$</refresh> <refreshType>delay</refreshType> </search> <option name="charting.chart">radialGauge</option> <option name="charting.chart.style">minimal</option> <option name="refresh.display">progressbar</option> <option name="charting.gaugeColors">[0xBF3030,0xFFE800,0x84E900]</option> </chart> </panel> The gauge command is using hardcoded figures for different values. We need to make this dynamic, based on the value of the OAPPLID. If I may, let's step back a bit. The upper_limit values chosen here are strictly for a proof of concept. I chose the .1 - .7 values as a quick visual to show the SPL is working. In reality, some of the upper_limit values might be the same. The upper_limit might be less than all the others as it is an average of all the OAPPLIDs combined. I  🤔 the above answered A. Onward and up/downward to B. By "trivial version" I  🤔  you mean less values of OAPPLID? If so, I was doing that in my original posting. But because the other possible values of OAPPLID are still, well, possible, I thought that might be the culprit.?! I think I just confused myself.   🤔   See. I mean C. Learned another new clause, without losing my sanity. Get it sanity, clau... Never mind. I'm losing my mine. I would have loved mvcount to work. But alas. Nope. Now onto my own D. Whatever solution I find here can/will be used with future clients and projects. Nothing ever goes to waste. Everything is recycled. Thanks again for your help and our banter. Feels refreshing in this time of uncertainty. Stay safe and healthy, you and yours. God bless, Genesius   ... View more

@Richfez  Shutting it down for the evening. This is what I have so far.   | inputlookup lup_certsTotalByEpochDay.csv | eval epochToday = strptime(strftime(now(),"%m/%d/%y"),"%m/%d/%y") | rex field=epochToday "(?<epochToday>\d{10})" | eval epochStart=epochToday-86400, epochEnd=epochToday-(13*86400) | where (epochDay<=epochStart AND epochDay>=epochEnd) | eval weekday = strftime(epochDay, "%w - %A") | eval week_of_year = strftime(epochDay, "%V") | chart values(Total) OVER weekday BY week_of_year   Here are the results. Still alot of tweaking to do.  End up with 3 weeks instead of 2. Rename 25 and 24 to This Week and Last Week. Rotate the weekday so today is always at the bottom. Add the live search (today) to that bottom cell. weekday 23 24 25 0 - Sunday 92923 146151   1 - Monday   122810 127312 2 - Tuesday   125986 116905 3 - Wednesday   128081 113381 4 - Thursday   130493 103829 5 - Friday   125972   6 - Saturday 73311 119197     Thanks and God bless, Genesius ... View more

@Richfez  Thanks for your reply.  There is a lot to unpack here. Here is the code I am currently using that does the same thing, but it runs the search against the previous 13 days, which is very slow. By the time today, the live table cell is updated, the search has to begin again. If I could populate the first 13 cells with static data from a lookup table, this would vastly improve the speed of this panel.   index IN (linuxevents) AND earliest=-14d@w latest=now AND host IN (law) AND source IN (/data/jboss/standalone/log/server.log) AND sourcetype IN (jboss:server) AND message="DOPAY served" | timechart count(message) AS certs span=1d | timewrap w | eval dow=strftime(_time,"%A") | rename dow AS "Day of Week", certs_latest_week AS "This Week", certs_1week_before AS "Last Week" | table "Day of Week", "This Week", "Last Week"   On the bottom row, the middle cell is always today. I will work on the solution you provided and update you. Enjoy your weekend. Thanks and God bless, Genesius ... View more