Solved: Agent version grouping by OS

jcorcoran508 · ‎06-30-2021

I have many agent versions and each row is displayed as the different version... Like the query is telling it to do.

I need help in the sense of would like to truncate evey period and digit to the single version digit.

6.3.0.0

6.2.1

7.3.3

7.21

To look like this:

6

7

richgalloway · ‎06-30-2021

There are a few ways to do that. Here's one

| rex field=version "(?<version>\d+)\."

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎06-30-2021

There are a few ways to do that. Here's one

| rex field=version "(?<version>\d+)\."

---
If this reply helps you, Karma would be appreciated.

aasabatini · ‎06-30-2021

Hi @jcorcoran508

you can use substr eval function

| eval version=substr(version,1,1)

useful search:

index=_internal sourcetype=splunkd group=tcpin_connections version=* os=* arch=* build=* hostname=* source=*metrics.log
| stats latest(version) as version,latest(arch) as arch,latest(os) as os,latest(build) as build by hostname
| eval version=substr(version,1,1)
| join hostname [ | metadata type=hosts index=*
| eval last_seen_hours=(now()-lastTime)/60/60
| table host, last_seen_hours
| rex field=host "(?<hostname>[^\.]+)" | fields - host ]

Regards

Ale

“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”

Agent version grouping by OS

field extraction

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!