topic Re: How to edit my search to compare software version numbers to find the latest version? in Splunk Search

How to edit my search to compare software version numbers to find the latest version?

Aaron_Fogarty — Wed, 27 Jul 2016 10:39:23 GMT

HI,

I have a field called AppVersion. The field value represents the version of a piece of software.

Example AppVersion = 3.0.1

I am trying to return the most recent version of the App that a user has used.

What I have tried was to break down the value into parts and add them together. The problem with this is, if the value is 3.0.1 or 2.2.0, the summed values are the same. Also, I was only able to display the summed value of the highest version, and not the field AppVersion that I want.

index=abc sourcetype=123 User="john"  AppVersion | rex "AppVersion=(?<versionD1>\d+)" | rex "AppVersion=\d+.(?<versionD2>\d+)" | rex "AppVersion=\d+.\d+.(?<versionD3>\d+)"| eval version= versionD1 + versionD2 + versionD3 | dedup AppVersion | stats max(version) as maxVersion | fields maxVersion AppVersion

Thanks

Re: How to edit my search to compare software version numbers to find the latest version?

HeinzWaescher — Wed, 27 Jul 2016 11:03:01 GMT

Try this:

index=abc sourcetype=123 User="john"  AppVersion
| stats latest(AppVersion)

Re: How to edit my search to compare software version numbers to find the latest version?

Aaron_Fogarty — Wed, 27 Jul 2016 11:12:13 GMT

Hey HeinzWaescher,

Thanks for the reply but this didnt work. It looks like latest() command returns the latest value by its time stamp.

Re: How to edit my search to compare software version numbers to find the latest version?

HeinzWaescher — Wed, 27 Jul 2016 11:13:56 GMT

Yes it does, I thought that is your goal.

Re: How to edit my search to compare software version numbers to find the latest version?

Aaron_Fogarty — Wed, 27 Jul 2016 11:48:06 GMT

No not by time but by the value of the field AppVersion. I am looking to return the latest Version of the of the software.

For Example if the values are

AppVersion = 3.0.1
and
AppVersion = 2.2.0

The latest version in this case would be 3.0.1 and that is the value I want returned.

Thanks

Re: How to edit my search to compare software version numbers to find the latest version?

sundareshr — Wed, 27 Jul 2016 12:08:08 GMT

Try this

index=abc sourcetype=123 User=*  AppVersion | rex "AppVersion=(?<versionD1>\d+)" | rex "AppVersion=\d+.(?<versionD2>\d+)" | rex "AppVersion=\d+.\d+.(?<versionD3>\d+)" | sort User -versionD1 -versionD2 -versionD3 | streamstats count by User | where count=1 | eval Version = versionD1."."versionD2.".".versionD3 | fields User Version

*OR*

index=abc sourcetype=123 User=*  AppVersion | rex "AppVersion=(?<versionD1>\d+)" | rex "AppVersion=\d+.(?<versionD2>\d+)" | rex "AppVersion=\d+.\d+.(?<versionD3>\d+)" | stats max(versionD1) as v1 max(versionD2) as v2 max(versionD3) as v3 by User | eval Version = v1."."v2.".".v3 | fields User Version

Re: How to edit my search to compare software version numbers to find the latest version?

HeinzWaescher — Wed, 27 Jul 2016 12:08:48 GMT

what about

| rex field=AppVersion "(?.).(?.).(?.*)"
| eval AppVersion=a."".b."".c
| stats max(AppVersion)

Re: How to edit my search to compare software version numbers to find the latest version?

Aaron_Fogarty — Wed, 27 Jul 2016 12:29:14 GMT

Hey HeinzWaescher ,
I could not get this to work either.
but Thanks again

Re: How to edit my search to compare software version numbers to find the latest version?

Aaron_Fogarty — Wed, 27 Jul 2016 12:30:06 GMT

The first example works great.
Thanks sundareshr