**My mission: Alert networking staff when one of their devices has high log deviation. **How I think it should be done: Using the tacacs database since it is always up to date. I am selecting a list of IP's from our Tacacs database. mysqlquery spec=mysql.companyxyz.net query="select ip FROM host WHERE ip > 0" Here is the query to find log deviation for all hosts: index=_internal group="per_host_thruput" |eval mb=kb/1024 |stats mean(eps), stdev(eps) AS "Standard Deviation", var(eps) AS "Variance EPS", sum(mb) AS "MB of Syslog Data" by series |sort 25 -"Standard Deviation" My Question: how do I tell splunk to alert using the IP's returned from the query? ... View more