I was wondering if someone can help me with something I am trying to do. I have two extract fields called metricvalue and metrichost. Metricvalue contains latency values, and metrichost contains hostname of the node writing the latency. Currently, I have the following query: sourcetype="metrics" source="/gmc-logs/prod/metrics.log" serve.pixel.request.get.lat.avg metrichost=pixeltmp* | timechart avg(metricvalue) This gives me a time chart of latency values so that I can track latency across all nodes over time. If I add "by metrichost" at the end, I get a FEW of the hosts with average latency values, but it seems to sort by hostname, not higher latency nodes at the top. So my questions are ... 1) How do I make it so that higher value average nodes are first on the list, rather than by metricnode? 2) I need to alert if the average latency for the hour is a certain value or higher. I can't seem to get this to work. ... View more