@Richfez  Thanks Rich. To bring up another Sesame Street song, 🎼 "Sunny days. Chasing the clouds away,....". So I don't want to spend too much time indoors this weekend.  😉 The dashboard panel code is from Syncsort's IronStream app for Splunk. We are tweaking copies of the CISC dashboard for specific OAPPLIDs, as well as other fields IronStream provides. OAPPLID is a text token, $regionFilter$, we are converting to a drop-down token, with the same name, to provide better reporting. Here is the original XML code for the IronStream panel. <panel> <title>Average Transaction Response Time (secs)</title> <chart> <search> <query>index=$index$ SYSNAME=DOL1 MFSOURCETYPE=SMF110 TRAN !="C*" OAPPLID=$regionFilter$|eval TransactionSpeed=(SUSPTIME_MICROSEC + USRCPUT_MICROSEC) | stats avg(TransactionSpeed) as avgTransactionSpeed|eval avgTransactionSpeedSec=round(avgTransactionSpeed/1000000,5) | gauge avgTransactionSpeedSec 0 .003 .006 .0065 .007 .0075 .008 .0085</query> <earliest>$gaugeStartTime$</earliest> <latest>$gaugeEndTime$</latest> <refresh>$autoRefresh$</refresh> <refreshType>delay</refreshType> </search> <option name="charting.chart">radialGauge</option> <option name="charting.chart.style">minimal</option> <option name="refresh.display">progressbar</option> <option name="charting.gaugeColors">[0xBF3030,0xFFE800,0x84E900]</option> </chart> </panel> The gauge command is using hardcoded figures for different values. We need to make this dynamic, based on the value of the OAPPLID. If I may, let's step back a bit. The upper_limit values chosen here are strictly for a proof of concept. I chose the .1 - .7 values as a quick visual to show the SPL is working. In reality, some of the upper_limit values might be the same. The upper_limit might be less than all the others as it is an average of all the OAPPLIDs combined. I  🤔 the above answered A. Onward and up/downward to B. By "trivial version" I  🤔  you mean less values of OAPPLID? If so, I was doing that in my original posting. But because the other possible values of OAPPLID are still, well, possible, I thought that might be the culprit.?! I think I just confused myself.   🤔   See. I mean C. Learned another new clause, without losing my sanity. Get it sanity, clau... Never mind. I'm losing my mine. I would have loved mvcount to work. But alas. Nope. Now onto my own D. Whatever solution I find here can/will be used with future clients and projects. Nothing ever goes to waste. Everything is recycled. Thanks again for your help and our banter. Feels refreshing in this time of uncertainty. Stay safe and healthy, you and yours. God bless, Genesius   ... View more

@Richfez  Shutting it down for the evening. This is what I have so far.   | inputlookup lup_certsTotalByEpochDay.csv | eval epochToday = strptime(strftime(now(),"%m/%d/%y"),"%m/%d/%y") | rex field=epochToday "(?<epochToday>\d{10})" | eval epochStart=epochToday-86400, epochEnd=epochToday-(13*86400) | where (epochDay<=epochStart AND epochDay>=epochEnd) | eval weekday = strftime(epochDay, "%w - %A") | eval week_of_year = strftime(epochDay, "%V") | chart values(Total) OVER weekday BY week_of_year   Here are the results. Still alot of tweaking to do.  End up with 3 weeks instead of 2. Rename 25 and 24 to This Week and Last Week. Rotate the weekday so today is always at the bottom. Add the live search (today) to that bottom cell. weekday 23 24 25 0 - Sunday 92923 146151   1 - Monday   122810 127312 2 - Tuesday   125986 116905 3 - Wednesday   128081 113381 4 - Thursday   130493 103829 5 - Friday   125972   6 - Saturday 73311 119197     Thanks and God bless, Genesius ... View more

@Richfez  Thanks for your reply.  There is a lot to unpack here. Here is the code I am currently using that does the same thing, but it runs the search against the previous 13 days, which is very slow. By the time today, the live table cell is updated, the search has to begin again. If I could populate the first 13 cells with static data from a lookup table, this would vastly improve the speed of this panel.   index IN (linuxevents) AND earliest=-14d@w latest=now AND host IN (law) AND source IN (/data/jboss/standalone/log/server.log) AND sourcetype IN (jboss:server) AND message="DOPAY served" | timechart count(message) AS certs span=1d | timewrap w | eval dow=strftime(_time,"%A") | rename dow AS "Day of Week", certs_latest_week AS "This Week", certs_1week_before AS "Last Week" | table "Day of Week", "This Week", "Last Week"   On the bottom row, the middle cell is always today. I will work on the solution you provided and update you. Enjoy your weekend. Thanks and God bless, Genesius ... View more

I think I might need to provide more context. In the search, there are 8 possible values for OAPPLID, selected from a drop-down input on the dashboard. CI04JPAD CI04JPAF CI004JMS CI004MAL CI04JPDG CI00400Z CI04JPTE * If * is selected on the drop-down this means any combination of one or more of those 7 values.    <search code> | eval upper_limit=case(OAPPLID="CI04JPAD",.1,OAPPLID="CI04JPAF",.2,OAPPLID="CI004JMS",.3,OAPPLID="CI004MAL",.4,OAPPLID="CI04JPDG",.5,OAPPLID="CI00400Z",.6,OAPPLID="CI04JPTE",.7) | eval lower_limit1=upper_limit/3 | eval lower_limit2=(upper_limit/3)*2 | stats avg(TransactionSpeed) AS avgTransactionSpeed, values(upper_limit) AS upper_limit, values(lower_limit1) AS lower_limit1, values(lower_limit2) AS lower_limit2 | gauge avgTransactionSpeedSec 0 lower_limit1 lower_limit2 upper_limit   If * is selected, and there is only one value for OAPPLID at that time, for example, CI04JPAF, upper_limit should be set to 1.5 and not .2. I hope this is clearer. I'm still struggling with putting the idea into words. What does * represent to Splunk? Is there a length associated with *? I tried adding a (len(OAPPLID)=1),1.5 to the beginning of the if clause, but didn't work either. I'm thinking I may need to use <set> and <unset> of the upper_limit in the dashboard for each possible OAPPLID. I would prefer to have the SPL handle rather than the XML. I hope this didn't confuse matters more. I appreciate everyone's input thus far. Thanks and God bless. Genesius ... View more

@Richfez  Thanks for your reply. | where upper_limit>2   No results. I removed the above command, with these results. OAPPLID is never set to "ALL". Thanks and God bless, Genesius ... View more

@efavreau  Thanks for your reply. There is no copy-n-paste of code from the dashboard to a search. I click the search magnifying glass at the bottom right of the panel. The results in this search page do not match those in the dashboard. Thanks and God bless, Genesius ... View more

@DalJeanis  Thank you for your reply. The problem with using head is that the _raw is 43 lines. The head command appears to be only pulling the first line. While the diff command is pulling all 43 lines from both files, comparing the lines, and displaying only the changes between the 2 events.   Thanks and God bless, Genesius ... View more

@Richfez  Thanks. I did not know about the true() function. Learned something new.  😀 However, results still ending up with '100'.  🤔 Thanks and God bless, Genesius ... View more

@neusse  Thanks for replying. All time search will not affect the events. The data is/are static properties files. They are infrequently updated. However, when they are updated without us knowing, trouble happens. So my search is performing a diff between the latest properties file and the previous one. As these files are prior to June 5th, there are is no possibility of the files having changed since ingestion. The issue is why the SPL, which is the same code in the dashboard, giving different results. Thanks and God bless, Genesius ... View more

@anilchaithu  Thanks for replying. I am the designer and launcher of the dashboard. Why dbconnect app? Thanks and God bless, Genesius ... View more

Being playful.  😁 I'm surprised no one has responded or is following this post. Did I post this incorrectly? Thanks and God bless, Genesius  ... View more