topic Help With Sorting - Multiple Decimal Points in Splunk Search

Help With Sorting - Multiple Decimal Points

bgagliardi1 — Wed, 28 Feb 2018 05:38:23 GMT

Hi,

I'm dealing with decimal points trying to determine the latest version of some software, but it's botching the integers after the first decimal point.

SoftwareVersion
5.0.1450.509
5.0.1450.8 <----Example
4.2.1330.31

I've tried stats list(field) and it still didn't provide the searching I was looking for. Thoughts? Please don't suggest an eval field separation per decimal 😉

Re: Help With Sorting - Multiple Decimal Points

acharlieh — Wed, 28 Feb 2018 06:10:45 GMT

Assuming all of your version strings are the same number of components long, I would try the sort command, specifically telling it to sort the field as an IP address:

| sort ip(SoftwareVersion)

It seems to work well so long as all the versions are the same length:

| makeresults | eval versions=split("5.0.13.1,5.0.1450.509,4.2.1330.31,5.0.1450.510,5.0.1449.508,5.0.15.4",",") | mvexpand versions | sort ip(versions)

But it seems to get tripped up when the version strings are varying numbers of components long:

| makeresults | eval versions=split("5.0.13.1,5.0.1450.509.1,4.2.1330.31,5.0.1450.510,5.0.1449.508,5.0.15",",") | mvexpand versions | sort ip(versions)

I would then also file a P4 enhancement request asking for an additional sort option (possibly one based on semantic versioning).

Re: Help With Sorting - Multiple Decimal Points

bgagliardi1 — Mon, 05 Mar 2018 21:01:13 GMT

Thanks, I'll submit the P4 enhancement. Fortunately, I realized that the delineation between numbering orders was operating system based, OSX/Windows clients. I was able to do the sort correctly by running two searches specific to the OS', and then sorting that way.

I can confirm it was lexicographical ordering vs semantic versioning.