Could you please confirm what is the updated query ? I am using below query. No result found. Please suggest index=whatever yoursearchterms | bin _time span=1s | stats count AS TPS by _time service | stats max(TPS) AS "NaxTPS" min(TPS) AS "MinTPS" avg(TPS) AS "AVG TPS" by service ... View more

Hi @appusplunk14, Below query will show peakTime too.  index=whatever | bin _time span=1s | chart count as TPS by _time | eval time_hour=strftime(_time,"%Y-%m-%d %H:00:00") | eventstats max(TPS) as peakTPS avg(TPS) as avgTPS by time_hour | eval avgTPS=round(avgTPS,2) | where TPS=peakTPS | rename _time as peakTime, time_hour as _time | eval peakTime=strftime(peakTime,"%Y-%m-%d %H:%M:%S") | stats values(peakTime) as peakTime values(peakTPS) as peakTPS values(avgTPS) as avgTPS by _time ... View more

index=_internal "splunkd" OR "sourcetype" | eval matches=if(searchmatch("splunkd"),"splunkd","sourcetype") | bin _time span=1s | chart count as TPS by _time matches | untable _time matches TPS | timechart max(TPS) as peakTPS eval(round(avg(TPS),2)) as avgTPS span=1h by matches | untable _time tps value | eventstats max(value) as max_TPS by tps | eval high_time=if(max_TPS==value,tps,NULL) | xyseries _time tps value high_time | foreach high* [ eval high_time=mvappend(high_time,'<<FIELD>>')] | rename "value: *" as * | fields - high_time:* | table _time avg* peak* high_time ... View more