I basically have the opposite question as can be seen here: https://community.splunk.com/t5/Splunk-Search/How-to-use-the-head-command-with-group-by/m-p/444439 I am looking for an increase in performance while keeping the search generic. As a minimal example I created this:     | makeresults | eval data=split("1;1,1;2,2;1,2;2",",") | mvexpand data | eval data=split(data,";") | eval a=mvindex(data,0), b=mvindex(data,1) | table a b | dedup a     I know that I can tremendously speed up the search if I use a template like so, using "| head 1" on each group of a:     | makeresults | append [| makeresults | eval data=split("1;1,1;2,2;1,2;2",",") | mvexpand data | eval data=split(data,";") | eval a=mvindex(data,0), b=mvindex(data,1) | table a b | search a=1 | head 1 ] | append [| makeresults | eval data=split("1;1,1;2,2;1,2;2",",") | mvexpand data | eval data=split(data,";") | eval a=mvindex(data,0), b=mvindex(data,1) | table a b | search a=2 | head 1 ] | search a=* | table a b     However, this way the search is no longer generic and I have to know what groups "a" can take (1,2 in this example) Question: Is there a way to increase performance on dedup while also keeping the search generic?

Hello, I want to schedule a python script which uses pandas and beautifulsoup4 as librairies. But my splunk does not have those librairies and does not execute the python script. How can I add those librairies to my splunk environment?   Thanks.

Hi all, I have the Splunk Add-on for AWS up and running fine and ingesting to a metric index. Now I need to fine  tune it a bit and wondering about Metrics Configuration and Metric Statistics. We get namespace AWS/DX dimension ConnectonId, all metrcs,. But what about Metric Statistics? What should I use to get the best value.... for alerts Average, Sum, Maximum or Minimum? This statics can be 0 "down" OR 1 "up" -J-  

Hello, I am having a hard time with the Splunk Universal Forwarder agent v9.1.1. Got it installed in 100+ servers and it starts and talks to the deployment server , then when I push some configs, it restarts and never comes back. To make it start again, the windows admin had to remove the credentials of Splunk user from the host. I tried installing the agent in multiple ways and even tried using virtual account and experienced the same results Default installation :   msiexec.exe /i splunkforwarder-9.1.1-64e843ea36b1-x64-release.msi AGREETOLICENSE=yes DEPLOYMENT_SERVER=some_url:8089 SERVICESTARTTYPE=auto LAUNCHSPLUNK=1 /quiet   Using Virtual account without password:   msiexec.exe /i splunkforwarder-9.1.1-64e843ea36b1-x64-release.msi AGREETOLICENSE=yes DEPLOYMENT_SERVER=some_url:8089 SERVICESTARTTYPE=auto LAUNCHSPLUNK=1 SPLUNKUSERNAME=splunkfwd USE_VIRTUAL_ACCOUNT=1 /quiet   Using Virtual account with password:   msiexec.exe /i splunkforwarder-9.1.1-64e843ea36b1-x64-release.msi AGREETOLICENSE=yes DEPLOYMENT_SERVER=some_url:8089 SERVICESTARTTYPE=auto LAUNCHSPLUNK=1 SPLUNKUSERNAME=splunkfwd SPLUNKPASSWORD=some_password USE_VIRTUAL_ACCOUNT=1 /quiet   Any thoughts on what could be the issue? Splunk log does not show any anything. And just to add this this, it works fine in some hosts (~5) without any issues