Solved: Comparing data between rows and show only needed r...

flukey · ‎07-29-2021

Hi Splunker

I'm quite new to splunk. Can you please help me out on this search?

I have a table of antivirus database version of each servers.

Server | database version
A 5

B 4

C 4

D 3

E 5

Assume that A is my main server and the rest download from A. So I wanna compare the rest database version with A and display only the servers that version is less than A

so the expected result will be

Server | database version
B 4

C 4

D 3

kamlesh_vaghela · ‎07-29-2021

@flukey

Try some thing like this.

YOUR_SEARCH
| eventstats max(eval(if(Server=="A",database_version,null()))) as A_database_version
| where database_version< A_database_version | fields - A_database_version

My Sample Search :

| makeresults | eval _raw="Server,database_version
A,5
B,4
C,4
D,3
E,5"| multikv forceheader=1
| table Server,database_version
| rename comment as "Upto Now is sample data only" 
| eventstats max(eval(if(Server=="A",database_version,null()))) as A_database_version
| where database_version< A_database_version | fields - A_database_version

Thanks
KV
▄︻̷̿┻̿═━一 ?

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

View solution in original post

flukey · ‎07-30-2021

Hi Kamlesh

Thank your very much for your help!

kamlesh_vaghela · ‎07-29-2021

@flukey

Try some thing like this.

YOUR_SEARCH
| eventstats max(eval(if(Server=="A",database_version,null()))) as A_database_version
| where database_version< A_database_version | fields - A_database_version

My Sample Search :

| makeresults | eval _raw="Server,database_version
A,5
B,4
C,4
D,3
E,5"| multikv forceheader=1
| table Server,database_version
| rename comment as "Upto Now is sample data only" 
| eventstats max(eval(if(Server=="A",database_version,null()))) as A_database_version
| where database_version< A_database_version | fields - A_database_version

Thanks
KV
▄︻̷̿┻̿═━一 ?

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

Comparing data between rows and show only needed result

eval

fields

search job inspector

stats

subsearch

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms