Yes, you can. But it is not nearly as simple as using the si- commands. I would suggest that you also examine report acceleration in Splunk 5.x - but I don't think that will work for your case. Look here for info: Configure Summary Indexes ... View more

Use built in sum+eval combos: .. | stats count(eval(action=="Denied")) as denies by source_ip You can use an eval(field="value") inside of a sum or count inside of a stats command. Works likea charm. ... View more

Thanks... I have created indexer as master and search head as slave license resolved he issue ... View more

This isn't that hard to do, but it's very hard to parallelize, i.e., it's very ineffective to map-reduce, compared with averaging below a percentile. May I ask what the mathematical basis for preferring this computation to simply averaging everything below the 90th percentile would be? Especially since they would only have different results when considering artificial and pathological data sets, particularly if you measure your response times with sufficient granularity. ... | sort response_time | eventstats count as ttl | streamstats global=t current=t count as pos | where pos<(0.9*ttl) | stats avg(response_time) ... View more

amitsehgal, Basically this is achieved via advanced XML. There have been a few questions answered related to dynamic dropdowns in XML: building-a-view-with-2-dynamic-drop-down-menus See also: Splunk UI Examples for 4.1 Let us know if you have some additional questions. ... View more

The latest version of Splunk for Unix and Linux app (version 4.5) as well as the technology add-on provides AIX support for most scripted inputs. ... View more

Not sure how to bump this.....is there any suggestion to make this search 90 percentile faster...its too slow .... ... View more