It is rather strange to use the exact same base search in a subsearch.  If nothing else, this reduces performance.  It is also strange that you have to use two consecutive transpose inside the subsearch seemingly just to get a list of id_flux values.  I think you are looking for appendpipe, not append. index="bloc1rg" AND libelle IN (IN_PREC, OUT_PREC, IN_BT, OUT_BT, IN_RANG, OUT_RANG) earliest=-1mon@mon latest=-1d@d | stats max(_time) as last_time count by id_flux libelle | appendpipe [chart sum(count) over id_flux by libelle] | eventstats values(IN_*) as IN_* values(OUT_*) as OUT_* by id_flux | search libelle=* | eval IN_BT_OUT_BT=IN_BT+OUT_BT | eval IN_PREC_OUT_PREC=IN_PREC+OUT_PREC | eval IN_RANG_OUT_RANG=IN_RANG+OUT_RANG | search IN_BT_OUT_BT>=2 AND IN_PREC_OUT_PREC >=2 AND IN_RANG_OUT_RANG >=2 ``` the above is equivalent to search 1 ``` In fact, appendpipe can also help you determine the response times you are looking, if I am guessing your intention correctly: index="bloc1rg" AND libelle IN (IN_PREC, OUT_PREC, IN_BT, OUT_BT, IN_RANG, OUT_RANG) earliest=-1mon@mon latest=-1d@d | stats max(_time) as last_time count by id_flux libelle | appendpipe [chart sum(count) over id_flux by libelle] | eventstats values(IN_*) as IN_* values(OUT_*) as OUT_* by id_flux | search libelle=* | eval IN_BT_OUT_BT=IN_BT+OUT_BT | eval IN_PREC_OUT_PREC=IN_PREC+OUT_PREC | eval IN_RANG_OUT_RANG=IN_RANG+OUT_RANG | search IN_BT_OUT_BT>=2 AND IN_PREC_OUT_PREC >=2 AND IN_RANG_OUT_RANG >=2 ``` the above is equivalent to search 1 ``` | appendpipe [chart limit=0 max(last_time) over id_flux by libelle] | search NOT libelle=* | fields - libelle last_time | eval response_rang = OUT_RANG - IN_RANG | eval response_prec = OUT_PREC - IN_PREC | eval response_bt = OUT_BT - IN_BT For the purpose of getting the help you wanted from this forum, complex SPL - especially with multiple transpose, only adds barrier to volunteers' understanding of your real objective.  I suggest that you describe the basic data set, describe the desired outcome, and describe the logic between desired outcome and the data.  Illustrate with text tables and strings (anonymize as necessary).  

@juakashi  before executing the ./splencore.sh test command You need to make a couple of export SPLUNK_HOME=/opt/splunk export LD_LIBRARY_PATH=/opt/splunk/lib After that you can continue Validate & Test the Connection

@woodcock We recently move to S2 and our initital retention was set to 6 months. A month after the migration we decided to reduced the retention to 3 months but did not see any reduction in storage in s3. Support found out that versioning was enabled in AWS by the PS engineer during the migration and that caused this issue. Now the new data which is rolled over is deleted but we still have old cruft remaining in s3 which is costing us heavily. Support wants us to delete the data manually by running commands from CLI. Isnt there a better way in doing this? Does AWS lifecycle rules work only for old data which is still lying there? What are the ways to get rid of this old data apart from removing it manually. 

@anissabnk so do you have ONE of each libelle per event, if so then how do you define response time - is it the TIME of the event, so BT time is OUT time - IN time and is there only a SINGLE one of each libelle per flux? Try something like this   index="bloc1rg" AND libelle IN (IN_PREC, OUT_PREC, IN_BT, OUT_BT, IN_RANG, OUT_RANG) earliest=-1mon@mon latest=-1d@d | stats max(eval(if(libelle="IN_PREC", _time, null()))) as IN_PREC_TIME max(eval(if(libelle="OUT_PREC", _time, null()))) as OUT_PREC_TIME max(eval(if(libelle="IN_BT", _time, null()))) as IN_BT_TIME max(eval(if(libelle="OUT_BT", _time, null()))) as OUT_BT_TIME max(eval(if(libelle="IN_RANG", _time, null()))) as IN_RANG_TIME max(eval(if(libelle="OUT_RANG", _time, null()))) as OUT_RANG_TIME by id_flux | eval response=(OUT_PREC_TIME-IN_PREC_TIME) + (OUT_BT_TIME-IN_BT_TIME) + (OUT_RANG_TIME-IN_RANG_TIME) | fields - *_TIME   so you are collecting all the event times for each of the event types by flux id and then just calculating the  response time at the end.  

@juakashi - Please check the following things: Ensure you have the latest version of the Add-on. Ensure you put the certificate as described and in the described path. Ensure the certificate file permissions are proper. (chmod) 600 for public cert files and 400 for private key files. Ensure the environment paths are set properly as described in the video.   I hope this helps!! Kindly upvote if it does!!!

>>> 1. Document mentioned that I have to create props.conf in /opt/splunk/deployment.apps/Splunk-TA-windows/local/   ---> created .....  did you create this on the HF, right? >>> 2. I just copied all lines with SEDCMD and cleared #  and just hoping to config should work. after updating the props.conf in Hf, did you restart the splunk service on the HF

Sorry for trouble, As I named myself... 1. Document mentioned that I have to create props.conf in /opt/splunk/deployment.apps/Splunk-TA-windows/local/   ---> created 2. I just copied all lines with SEDCMD and cleared #  and just hoping to config should work. All this changes made yesterday,