Solved: view report with one instance of a specific versio...

patrick79 · ‎04-17-2024

I am trying to create a report that pulls a version, but only shows one instance and then list all the hosts within that version

ITWhisperer · ‎04-17-2024

Assuming you already have the fields extracted:

<your index search>
| stats count by Name Version host
| eventstats count by Name Version
| eventstats max(count) as top
| where count=top

View solution in original post

patrick79 · ‎04-17-2024

I am searching for "Unified Payment Platform Version=" which contains the specific version of firmware from about 2000+ hosts.
The line I am searching may populate multiple times depending on if the device was rebooted.

The search I need:
- list all the versions, but only one count from each host
- if possible, the list the hosts on the version

ITWhisperer · ‎04-17-2024

Please share some anonymised representative events in raw format in a code block </>

patrick79 · ‎04-17-2024

[2024-04-17 10:23:37] [Lane 0] Application ID: Name=Unified Payment Platform Version=06.80.06-0032

ITWhisperer · ‎04-17-2024

Assuming you already have the fields extracted:

<your index search>
| stats count by Name Version host
| eventstats count by Name Version
| eventstats max(count) as top
| where count=top

ITWhisperer · ‎04-17-2024

You could try something like this

<your index search>
| eventstats count by Version
| eventstats max(count) as top
| where count=top

view report with one instance of a specific version

saved search

Meet Duke Cyberwalker | A hero’s journey with Splunk

The Future of Splunk Search is Here - See What’s New!

Splunk is Nurturing Tomorrow’s Cybersecurity Leaders Today