topic how to sort() version values. in Splunk Search

how to sort() version values.

karthik_y — Sun, 13 Dec 2020 12:38:47 GMT

Hello,

I am having values of a particular application as below.

Looking to get the maximum version value or sorting them in order so that i can pick the last/first value in my search.

Values i have for applicationA:

1.17.120

2.12.600

2.14.377

2.14.378

2.15.121

2.16.298

2.17.176

2.18.117

2.4.153

2.6.186

2.7.241

2.7.242

2.8.207

2.9.369

Value i am looking for :

2.18.117

I know we can use case() to add numbers and sort in order. But i have more than 20+ applications with similar data.

Out of them i have to get the Maximum values for each application data.

Regards.

Re: how to sort() version values.

ITWhisperer — Sun, 13 Dec 2020 18:43:35 GMT

You could add a leading zero to the middle part of the version number so that they will sort lexicographically

| rex mode=sed field=versions "s/\.(?<digit>\d)\./.0\1./g"

Re: how to sort() version values.

stephanefotso — Sun, 13 Dec 2020 19:55:22 GMT

Hi, you can also extract each part of the field and then display only the maximum value:

Re: how to sort() version values.

karthik_y — Thu, 17 Dec 2020 14:03:58 GMT

Thank you. I have got what i am looking for.

Re: how to sort() version values.

yuanliu — Thu, 17 Jun 2021 20:20:15 GMT

When I have to do this, I'm quite surprised that SPL hasn't offered a function for just this. Searching this forum discovered multiple workarounds based on conversion to numerals, padding 0, etc., perhaps the earliest from 2015. But this 2018 solution by @acharlieh is more intriguing: https://community.splunk.com/t5/Splunk-Search/Help-With-Sorting-Multiple-Decimal-Points/m-p/314798/highlight/true#M94212. It doesn't modify the field value, which can of practical importance; instead, it uses ip() function to sort each dot section numerically:

| sort ip(version)

The post discusses its limitations, but should work well for most use. (The dotted notation doesn't have to be 4 sections.) Thanks, @acharlieh!