Looking help to remove outliers (values greater than 90 percentile responses). For Ex:  Response Time  -------------------- 1 Second 2 Seconds 3 Seconds 4 Seconds 5 Seconds 6 Seconds 7 Seconds 8 Seconds 9 Seconds 10 Seconds 90 percentile for the above values is 9 Seconds. want to remove the outlier 10 Seconds and get the average response for remaining values. My expected Avg Response (after Removing the outlier) = 5 Seconds ==================================================== My Query is  index="dynatrace" sourcetype="dynatrace:usersession" | spath output=user_actions path="userActions{}" | stats count by user_actions | spath output=pp_user_action_application input=user_actions path=application | where pp_user_action_application="******" | spath output=User_Action_Name input=user_actions path=name | spath output=pp_user_action_response input=user_actions path=visuallyCompleteTime | eval User_Action_Name=substr(User_Action_Name,0,150) | eventstats avg(pp_user_action_response) AS "Avg_Response" by Proper_User_Action | stats count(pp_user_action_response) As "Total_Calls",perc90(pp_user_action_response) AS "Perc90_Response" by User_Action_Name Avg_Response | eval Perc90_Response=round(Perc90_Response,0)/1000 | eval Avg_Response=round(Avg_Response,0)/1000 | table Proper_User_Action,Total_Calls,Perc90_Response

I have created an app for a team that I work with, and have set up mapping from our SAML auth so that the people on the team get a role that has access to the app. I would like for when these folks log in (they only have this one role, no other roles -- not even the default user role), they would land on the home page for the app.  As I understand it, that's supposed to be accomplished with the default_namespace parameter, set in the $SPLUNK_HOME/etc/apps/user-prefs/local/user-prefs.conf. In a regular browser window, now, when they log in, they get a 404 page for the app's home page (en-US/app/<appname>/search).  If they do it in an incognito/private browsing window, they land on the Launcher app and then then can navigate to the app and it works just fine.  The app's home page exists and is absolutely NOT a 404; after logging in in incognito, the URL they get when they manually navigate to the app is identical to the the link they're landed on when logging in without incognito.  (Ideally, I don't want these users to have access to the Launcher app, even.  But for now, they have to, in order to work around this.) We have a distributed environment (multiple indexers, multiple load-balanced search heads with a VIP).  This is the first time I've worked in a distributed environment.  So I'm assuming it's something to do with that. Any tips on what I'm doing wrong?

Hi, When using jdk8+ javaagent version 22.12.0,  I see below error $ java -javaagent:/cache/javaagent.jar -version Unable to locate appagent version to use - Java agent disabled openjdk version "1.8.0_382" OpenJDK Runtime Environment (Zulu 8.72.0.17-CA-linux64) (build 1.8.0_382-b05) OpenJDK 64-Bit Server VM (Zulu 8.72.0.17-CA-linux64) (build 25.382-b05, mixed mode)   What is the compatible javaagent version for above Java version.

Example logs 2022-08-19 08:10:53.0593|**Starting** 2022-08-19 08:10:53.5905|fff 2022-08-19 08:10:53.6061|dd 2022-08-19 08:10:53.6218|Shutting down 2022-08-19 08:10:53.6218|**Starting** 2022-08-19 08:10:53.6374|fffff 2022-08-19 08:10:53.6686|ddd 2022-08-19 08:10:53.6843|**Starting** 2022-08-19 08:10:54.1530|aa 2022-08-19 08:10:54.1530|vv   From this I have created three columns Devicenumber,  _time ,Description If ** Starting ** message has followed by "Shutting down" mean, it should classify as good and if Starting message has not Shutting down mean, it should classify as bad.   From the above example, there should be 2 bad and one good.   If there is only one row which has only Starting and no shutting down recorded, in that case also , it should classify as bad

I'm trying to run a lookup against a list of values in an array.  I have a CSV which look as follows: id x y 123 Data Data2 321 Data Data2 456 Data3 Data3   The field from the search is is an array which looks as follows: ["123", "321", 456"] I want to map the lookup value.  Do I need to iterate over the field or can I use a lookup or is the best option?