I have the data in the following format score_count score_value 23 50 46 52 1 53 890 54 with more than a 1 million score_values, each value having its distinct count.    Given the data is in this format, how can I efficiently compute p95 or p99 of my the `score`.  I tried unrolling the table to create a single column with the value repeated multiple times, but the query does not complete at all.  Note that I'm planning to use this in a time chart command as so it has to be efficient to compute this value as well. 

I have multiple alerts with searches similar to the one below where fields are renamed to a numeric ordering. The search results are passed from phantom to a webex chat which reorders the fields unless this is done.  I am seeing back to back alerts when the throttle should have enacted. This also doesn't occur for all field values. An example would be an alert at 01:10 and 01:11 both containing the same throttled field value. At a loss at what the cause is. It doesn't appear to be the _'s because I would expect this behavior for all ~20 alerts of this format. Example search and alert configuration: Throttle for each result, value: 3_Publication index=database sourcetype=mssql:replication:status | fields _time, host, publisher, publication, agent_name, agent_type, agent_status | eval host = upper(host) | eval Time = strftime(_time, "%Y-%d-%m %H:%M:%S") | table Time, host, publisher, publication, agent_name, agent_type, agent_status | rename Time as 0_Time, host as 1_Host, publisher as 2_Publisher, publication as 3_Publication, agent_name as 4_Agent_Name, agent_type as 5_Agent_Type, agent_status as 6_Agent_Status

So, 2 of our indexers sometime have very high I/O due to a known issue,  but this is causing index queueing on all our 31 other indexers in same cluster.  When we turn off the 2 indexers that are going to have high I/O,  we dont see any issue. We are assuming that replication to these problem indexers are blocking other indexers and causing ripple effect across cluster.  Is it expected that the cluster behaves this way?   Are there any configuration to optimize or create dedicated threads only for replication with out blocking indexing and searching?

Hello, Where we should put the following configuration files? is this the correct place/info for them? Any help will be highly appreciated. Thank you so much, appreciated!  Deployment Client Configuration (Source Server where we have UF/HF) INDEXES Configuration File (Destination Server where we receive events ) INPUT Configuration File (Destination Server where we receive events ) PROPS Configuration File (Destination Server where we receive events ) TRANSFORMS Configuration File (Destination Server where we receive events )      

Hello, I have a problem regarding a datamodel search. My datamodel consists of different boolean values with a span of 5s. The summary range of the data model is defined for two weeks. I want to walk through the data and count events which contain the value "true" (GROUPBY _time span=5s ....). When I'm running the search with earliest=-2d@d I get an error "Job terminated unexpectedly". In the search.log I found "ERROR ProcessRunner - helper process seems to have died (child killed by signal 9: Killed)!" When I'm running the same search for earliest=-1d@d I don't get an error. In the OS logs of my server I've noticed that the cpu nearly reaches 100% of the capacity. THP is disabled. Thank you

  SerialNumber Duration 111A 200 111A 500 2222 300 3333 100 3333 250   How can I display only the lowest duration for each SerialNumber.  | dedup SerialNumber would sometimes get me the larger duration.   Expected Output: SerialNumber Duration 111A 200 2222 300 3333 100  

I am having trouble upgrading to Splunk 8.2.2 from 8.0.4.1.  I keep getting that annoying 1603 error, but I can't seem to fix it.  I've already tried re-propagating permissions for the folders and various re-registrations of the Windows Installer service, but same errors. Below is a snippet of what I get before the rollback.  Any nudges in the right direction would be appreciated.   InstallFiles: File: SelectedFields.js, Directory: C:\Program Files\Splunk\share\splunk\search_mrsparkle\exposed\js\views\shared\eventsviewer\list\body\row\, Size: 3708 InstallFiles: File: cp866.py, Directory: C:\Program Files\Splunk\Python-3.7\Lib\encodings\, Size: 34396 InstallFiles: File: Brunei, Directory: C:\Program Files\Splunk\Python-2.7\Lib\site-packages\pytz\zoneinfo\Asia\, Size: 203 InstallFiles: File: progress-bars.pcss, Directory: C:\Program Files\Splunk\share\splunk\search_mrsparkle\exposed\pcss\base\, Size: 4000 InstallFiles: File: struct.py, Directory: C:\Program Files\Splunk\Python-3.7\Lib\, Size: 257 InstallFiles: File: St_Helena, Directory: C:\Program Files\Splunk\Python-3.7\Lib\site-packages\pytz\zoneinfo\Atlantic\, Size: 148 InstallFiles: File: SplunkWeb.URL, Directory: C:\ProgramData\Splunk Enterprise\, Size: 47 Action 19:04:48: RollbackRegmonDrv. Action 19:04:48: InstallRegmonDrv. InstallRegmonDrv: Warning: Invalid property ignored: FailCA=. InstallRegmonDrv: Info: Driver inf file: C:\Program Files\Splunk\bin\splunkdrv.inf. InstallRegmonDrv: Info: Enter. Args: rundll32.exe, setupapi,InstallHinfSection DefaultInstall 128 C:\Program Files\Splunk\bin\splunkdrv.inf InstallRegmonDrv: Info: SystemPath is: C:\WINDOWS\system32\ InstallRegmonDrv: Info: Execute string: C:\WINDOWS\system32\cmd.exe /c "C:\WINDOWS\system32\rundll32.exe setupapi,InstallHinfSection DefaultInstall 128 C:\Program Files\Splunk\bin\splunkdrv.inf >> "C:\Users\username\AppData\Local\Temp\splunk.log" 2>&1" InstallRegmonDrv: Info: WaitForSingleObject returned : 0x0 InstallRegmonDrv: Info: Exit code for process : 0x0 InstallRegmonDrv: Info: Leave. Action 19:04:49: RollbackNetmonDrv. Action 19:04:49: InstallNetmonDrv. InstallNetmonDrv: Warning: Invalid property ignored: FailCA=. InstallNetmonDrv: Info: Driver inf file: C:\Program Files\Splunk\bin\splknetdrv.inf. InstallNetmonDrv: Info: Enter. Args: rundll32.exe, setupapi,InstallHinfSection DefaultInstall 128 C:\Program Files\Splunk\bin\splknetdrv.inf InstallNetmonDrv: Info: SystemPath is: C:\WINDOWS\system32\ InstallNetmonDrv: Info: Execute string: C:\WINDOWS\system32\cmd.exe /c "C:\WINDOWS\system32\rundll32.exe setupapi,InstallHinfSection DefaultInstall 128 C:\Program Files\Splunk\bin\splknetdrv.inf >> "C:\Users\username\AppData\Local\Temp\splunk.log" 2>&1" InstallNetmonDrv: Info: WaitForSingleObject returned : 0x0 InstallNetmonDrv: Info: Exit code for process : 0x0 InstallNetmonDrv: Info: Leave. Action 19:04:51: RollbackNohandleDrv. Action 19:04:51: InstallNohandleDrv. InstallNohandleDrv: Warning: Invalid property ignored: FailCA=. InstallNohandleDrv: Info: Driver inf file: C:\Program Files\Splunk\bin\SplunkMonitorNoHandleDrv.inf. InstallNohandleDrv: Info: Enter. Args: rundll32.exe, setupapi,InstallHinfSection DefaultInstall 128 C:\Program Files\Splunk\bin\SplunkMonitorNoHandleDrv.inf InstallNohandleDrv: Info: SystemPath is: C:\WINDOWS\system32\ InstallNohandleDrv: Info: Execute string: C:\WINDOWS\system32\cmd.exe /c "C:\WINDOWS\system32\rundll32.exe setupapi,InstallHinfSection DefaultInstall 128 C:\Program Files\Splunk\bin\SplunkMonitorNoHandleDrv.inf >> "C:\Users\username\AppData\Local\Temp\splunk.log" 2>&1" InstallNohandleDrv: Info: WaitForSingleObject returned : 0x0 InstallNohandleDrv: Info: Exit code for process : 0x0 InstallNohandleDrv: Info: Leave. Action 19:04:52: CreateFtr. CreateFtr: Warning: Invalid property ignored: FailCA=. Action 19:04:53: FirstTimeRun. FirstTimeRun: Warning: Invalid property ignored: FailCA=. FirstTimeRun: Info: Properties: splunkHome: C:\Program Files\Splunk. FirstTimeRun: Info: Execute first time run. FirstTimeRun: Info: Enter. Args: "C:\Program Files\Splunk\bin\splunk.exe", _internal first-time-run --answer-yes --no-prompt FirstTimeRun: Info: SystemPath is: C:\WINDOWS\system32\ FirstTimeRun: Info: Execute string: C:\WINDOWS\system32\cmd.exe /c ""C:\Program Files\Splunk\bin\splunk.exe" _internal first-time-run --answer-yes --no-prompt >> "C:\Users\username\AppData\Local\Temp\splunk.log" 2>&1" FirstTimeRun: Info: WaitForSingleObject returned : 0x0 FirstTimeRun: Info: Exit code for process : 0x1 FirstTimeRun: Info: Leave. FirstTimeRun: Error: ExecCmd failed: 0x1. FirstTimeRun: Error 0x80004005: Cannot execute first time run. CustomAction FirstTimeRun returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox) Action ended 19:05:37: InstallFinalize. Return value 3. Action 19:05:37: Rollback. Rolling back action:    

Hello, I have this 3 queries : sourcetype="Silverpop-*" Message="Message was successfully sent to *"| top limit=500 "AdditionalData.additionalData.AdditionalParameters.MailingID"   sourcetype="kube:container:notificationsservice-workerservice" Message="Filtered channel context" "ContextData.ChannelName"=SalesforceEmail| top limit=500 "AdditionalData.Meta.NotificationType"   sourcetype="kube:container:notificationsservice-workerservice" Message="Filtered channel context" "ContextData.ChannelName"=SalesforcePriorityEmail| top limit=500 "AdditionalData.Meta.NotificationType"   i want to union the second and third queries and compare to the first one and show it all in csv file   how can i do it ?   thanks

We are getting some vulnerabilities for our splunk instance and to fix that we need to Add strict-transport-security header to the http responses. We have tried adding stanza "sendStrictTransportSecurityHeader = true" to the server.conf and web.conf but the issue still persist, Can anyone please help me on this issue

Using Windows EventCodes I want to find 3 or more users failing to log in. So far my syntax is  | stats values(user) as user count by host which looks good. Now I only want to see > 2 users from the same host. | where count > 2 counts the total, not the different values in the "user" field.   

i wnat to generate an alert whenever one of the text string is missing between two in the same log file every 30 min . Please look into the below query for reference: | union maxout=10 [ search index=72434_Taxi host=ah-1125888-001* "Finished Reading file for data Load: "] [search index=72434_Taxi host=ah-1125888-001* "Reading file for data Load:"] I want an alert if any of the string is missing as per above query.

Hi All,  I am new to glass tables in ITSI.  We have ITSI glass tables new versions and I am looking how to change background color for individual columns based on value within column.  In Splunk enterprise dashboards, it is fairly simple to map value with color. Happy to add few fields in source code of glass table. 

I want to correlate events between two index Index=A Index = B There are multiple user field(user, src_user, dsuer) under Index A. I have to search user in index A which have  signature=password retrieved and need to check the same user in Index B if there is successful login(action=success) in 30 sec duration when user has retrieved the password.   Thank you in advance.

Hi All, I have two different search criteria & query. First search criteria/query will produce the start time for event 1 and second search criteria/query will be provide End time for event1. Need to calculate the duration between Start and End time using Splunk.