https://community.splunk.com/t5/Splunk-Search/Counting-Number-of-Field-Installs-Counting-Latest-event-only/m-p/270567#M81442 <P>Worked Perfectly thank you! </P> <P>P.S. one small thing there is a "(" missing after mvindex on the 3rd line</P> Mon, 25 Jul 2016 20:29:23 GMT raby1996 2016-07-25T20:29:23Z https://community.splunk.com/t5/Splunk-Search/Counting-Number-of-Field-Installs-Counting-Latest-event-only/m-p/270563#M81438 <P>Hi all,</P> <P>I am attempting to count the number of Installs of certain code levels for field machines. Essentially I am extracting this information from some logs, and then I am listing all the code levels by machine serial, this gives me the code level history of a machine. Where I am struggling is being able to list current installs of the code levels, so this would include counts of 0 since not all code levels are currently being used, however I feel that my current approach isn't appropriate , I've included some samples below.</P> <P>First part of Search-</P> <PRE><CODE>Search.......| stats values(code_level) as code_level list(time_on_machine) as time_on_machine by Machine_Serial | stats dc(Machine_Serial) as installs sum(time_on_machine) by code_level </CODE></PRE> <P>Results- </P> <PRE><CODE>Machine_Serial code_level time_on_machine 75abc 1.1 365 1.3 20 1.4 50 75dfe 1.1 10 1.3 15 1.5 7 75xyz 1.3 25 1.4 50 </CODE></PRE> <P>As mentioned above from this search I can see a historical view of the code history for machines as well as the time it spent on a machine. Essentially only the latest code level ( the one at the bottom of each group I.E the largest one ) would count as an install so for the first group ( serial 75abc ) code level 1.1 would be a current install, but 1.3 and 1.4 would not count towards installs on their respective level, however I do take their time_on_machine field and add that to the rest, so it would look something like this-</P> <P>Desired Results-</P> <PRE><CODE> code_level current_installs time_on_machine_sum 1.1 0 375 1.3 0 60 1.4 2 100 1.5 1 7 </CODE></PRE> <P>Is there any way I can achieve the current_installs portion of this search? Thank you in advance, and please let me know if something was not clear.</P> Tue, 29 Sep 2020 10:18:19 GMT https://community.splunk.com/t5/Splunk-Search/Counting-Number-of-Field-Installs-Counting-Latest-event-only/m-p/270563#M81438 raby1996 2020-09-29T10:18:19Z https://community.splunk.com/t5/Splunk-Search/Counting-Number-of-Field-Installs-Counting-Latest-event-only/m-p/270564#M81439 <P>How about this?</P> <PRE><CODE>Search.......| stats dc(Machine_Serial) as current_installs sum(time_on_machine) as time_on_machine_sum by code_level </CODE></PRE> Mon, 25 Jul 2016 17:21:16 GMT https://community.splunk.com/t5/Splunk-Search/Counting-Number-of-Field-Installs-Counting-Latest-event-only/m-p/270564#M81439 sundareshr 2016-07-25T17:21:16Z https://community.splunk.com/t5/Splunk-Search/Counting-Number-of-Field-Installs-Counting-Latest-event-only/m-p/270565#M81440 <P>Hello sundareshr,<BR /> I've tried that, but this will return a count that includes code levels that are no longer on that machine so where I should get a 0 for example, I'll end up getting a value of 1 or more. Still thank you</P> Mon, 25 Jul 2016 17:24:13 GMT https://community.splunk.com/t5/Splunk-Search/Counting-Number-of-Field-Installs-Counting-Latest-event-only/m-p/270565#M81440 raby1996 2016-07-25T17:24:13Z https://community.splunk.com/t5/Splunk-Search/Counting-Number-of-Field-Installs-Counting-Latest-event-only/m-p/270566#M81441 <P>Give this a try</P> <PRE><CODE> Search.......| stats values(code_level) as code_level list(time_on_machine) as time_on_machine by Machine_Serial | eval latest_code_level=mvindex(code_level,-1) | eval latest_time_on_machine=mvindex(time_on_machine,-1) | eval temp=mvzip(code_level,time_on_machine,"#") | fields - code_level, time_on_machine | mvexpand temp | rex field=temp "(?&lt;code_level&gt;.+)#(?&lt;time_on_machine&gt;.+)" | fields - temp | eval current_install=if(code_level=latest_code_level,1,0) | stats sum(current_install) as current_install sum(time_on_machine) as time_on_machine by code_level </CODE></PRE> Mon, 25 Jul 2016 18:33:13 GMT https://community.splunk.com/t5/Splunk-Search/Counting-Number-of-Field-Installs-Counting-Latest-event-only/m-p/270566#M81441 somesoni2 2016-07-25T18:33:13Z https://community.splunk.com/t5/Splunk-Search/Counting-Number-of-Field-Installs-Counting-Latest-event-only/m-p/270567#M81442 <P>Worked Perfectly thank you! </P> <P>P.S. one small thing there is a "(" missing after mvindex on the 3rd line</P> Mon, 25 Jul 2016 20:29:23 GMT https://community.splunk.com/t5/Splunk-Search/Counting-Number-of-Field-Installs-Counting-Latest-event-only/m-p/270567#M81442 raby1996 2016-07-25T20:29:23Z https://community.splunk.com/t5/Splunk-Search/Counting-Number-of-Field-Installs-Counting-Latest-event-only/m-p/270568#M81443 <P>Thanks for noticing the type. Just corrected it.</P> Mon, 25 Jul 2016 20:53:11 GMT https://community.splunk.com/t5/Splunk-Search/Counting-Number-of-Field-Installs-Counting-Latest-event-only/m-p/270568#M81443 somesoni2 2016-07-25T20:53:11Z