Hi, i have problem with Data model search. This is my SPL: |datamodel Network_Resolution_DNS_v2 search| search DNS.message_type=Query |rename DNS.query as query | fields _time, query | streamstats current=f last(_time) as last_time by query | eval gap=last_time - _time | stats count avg(gap) AS AverageBeaconTime var(gap) AS VarianceBeaconTime BY query | eval AverageBeaconTime=round(AverageBeaconTime,3), VarianceBeaconTime=round(VarianceBeaconTime,3) | sort -count | where VarianceBeaconTime < 60 AND count > 2 AND AverageBeaconTime>1.000 | table query VarianceBeaconTime count AverageBeaconTime and it's work fine but slowly, so i would like to change to Data Model. How looks like query ?  I have DM model DNS_v2 and it's work for another queries, but not for this. | tstats summariesonly=true values(DNS.query) as query FROM datamodel="DNS_v2" where DNS.message_type=Query groupby _time | mvexpand query | streamstats current=f last(_time) as last_time by query | eval gap=(last_time - _time) | stats count avg(gap) AS AverageBeaconTime var(gap) AS VarianceBeaconTime BY query | eval AverageBeaconTime=round(AverageBeaconTime,3), VarianceBeaconTime=round(VarianceBeaconTime,3) | sort -count | where VarianceBeaconTime < 60 AND count > 2 AND AverageBeaconTime>1.000 | table query VarianceBeaconTime count AverageBeaconTime Has anyone had this problem before?   ... View more

Hi. I have a dashboard with 80 panels. Panels are numeric value( type:Single Value). I would like to bulid one panel which count panels which are not 0.  In below example i would like build one panel which will show 1 because one panel is over then 0 and it's red. ... View more