So I have a function which takes a certain amount of time (timer_value) and I'm trying to create an alert that triggers when the time starts to increase. For this I'm calculating the slope using this macro (http://wiki.splunk.com/Community:Plotting_a_linear_trendline). I'm using the map command, because I want to calculate the slope for each host running this process. This works fine, and I get a chart (using the table command) that gives me the host, slope, and a boolean that tells me if this value is good or bad. However, since I want to create an alert for this, I need to pass the value out of the sub-search and map command and use it as a custom condition for the alert. I'm stuck on how to do this-I've tried return as well as table. I'm assuming this is a problem because the map command returns multiple instances of the variable named slope? For now I don't care which host triggered the alert, I just need it to trigger if any of the values of slope are over a certain value. I can pass out either the boolean or the slope value, it doesn't matter. This is my search: TIMER timer_function="'scene_ingest_ndvi'" | stats count by host | map [search host=$host$ | timechart span=20min avg(timer_value) as avgyvalue | where isnotnull (avgyvalue) | `lineartrend(_time,avgyvalue)` | stats first(slope) as slope | eval host=$host$ | eval err= if(slope>0.005 OR slope<-0.005,"Bad","Good") | table host err slope ] maxsearches=100 If anyone has any ideas on how to do this, they would be more than welcome. I'm also open to doing it another way, if there's something easier than map that will achieve the desired result. Thanks in advance!! ... View more