Hi @elizabethl_splu , i am new to dashboard studio. So, we usually deploy the classic XML dashboard via external editor to see them into splunk. Rather than creating via ui. Now how can I deploy the dashboard studio code, when i am trying to promote the code, it got into splunk but when i am trying to  open it is say proper dashboard tag are not added .what i am missing here My dashboard is starting with  { Visualization.......         ... View more

It seems you have extra information (the par value which is repeated with every event). In a context of analyziing single event it's good because it lets you do a quick check without consulting any external sources (splunk is not an RDBMS so we won't teach you about database normalization here ;-)). But seriously - what if the par value changed over time? Anyway, it seems that what you need is an xyseries command which takes such "indexed" events and puts them over a table. The trick here is that xyseries normally works with three fields - X-index, Y-index and value whereas in your events you have par and target which should be the "Y-index". So you'd need to combine them into one value, then do xyseries and then split them again into separate values. Anyway, just out of curiosity - why do you have multiple indexes with the same kind of data? ... View more

Thanks  !!  My queries/data base is not fixed. I used selfjoin though as it made my life simpler thanks  for your explanation too. ... View more

Hi @paritoshs24 I'm so glad you found a solution!  ... View more

Yes, the IN operator may be used in a subsearch. If your problem is resolved, then please click the "Accept as Solution" button to help future readers. ... View more

index=cms_vm $ostestfield$ @DalJeanis  @gbwilson  instead of above command  we can use  index IN (cms_pc cms_vm cms_host) OperatingSystem_Code IN ($ostestfield$) ... View more

Dude !!!!! Your answer saved my life !! 😘  ... View more

The fieldformat syntax is almost the same as eval. The difference is that fieldformat doesn't create a new field as such. So you will see the "field" in output but you cannot calculate anything based on its value - you have to use the original field. See the example (also shows the difference between eval and fieldformat): | makeresults count=210 | streamstats count | eval part=count/13 | eval truncated=round(part,1) | fieldformat formatted=round(part,1) | eventstats sum(truncated) as truncatedsum sum(part) as partsum In case of simple multiplying when there's no rounding error, there's not much of a practical difference since the value itself does not differ but in case of fractions the error can accumulate and skew the final results. The most useful use case of field format is with timestamp manipulation when you leave the original timestamp field in numerical form which allows for easy adding/substracting intervals and so on but still can get a human-readable representation in the results. ... View more

Thanks a  lot !! You saved me  so much of Energy !! 🙂 ... View more