Reporting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

view report with one instance of a specific version

patrick79
Explorer
‎04-17-2024 07:16 AM

I am trying to create a report that pulls a version, but only shows one instance and then list all the hosts within that version

patrick79_0-1713363255097.png

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎04-17-2024 09:37 AM

Assuming you already have the fields extracted:

<your index search>
| stats count by Name Version host
| eventstats count by Name Version
| eventstats max(count) as top
| where count=top

View solution in original post

Reply
Solved! Jump to solution

patrick79
Explorer
‎04-17-2024 09:10 AM

I am searching for "Unified Payment Platform Version=" which contains the specific version of firmware from about 2000+ hosts. 
The line I am searching may populate multiple times depending on if the device was rebooted.

The search I need:
 - list all the versions, but only one count from each host
 - if possible, the list the hosts on the version

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎04-17-2024 09:24 AM

Please share some anonymised representative events in raw format in a code block </>

0 Karma
Reply
Solved! Jump to solution

patrick79
Explorer
‎04-17-2024 09:28 AM

[2024-04-17 10:23:37] [Lane 0] Application ID: Name=Unified Payment Platform Version=06.80.06-0032

 

patrick79_0-1713371287284.png

 

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎04-17-2024 09:37 AM

Assuming you already have the fields extracted:

<your index search>
| stats count by Name Version host
| eventstats count by Name Version
| eventstats max(count) as top
| where count=top
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎04-17-2024 08:50 AM

You could try something like this

<your index search>
| eventstats count by Version
| eventstats max(count) as top
| where count=top
0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...