Splunk Search

Counting Number of Field Installs ( Counting Latest event only)

raby1996
Path Finder

Hi all,

I am attempting to count the number of Installs of certain code levels for field machines. Essentially I am extracting this information from some logs, and then I am listing all the code levels by machine serial, this gives me the code level history of a machine. Where I am struggling is being able to list current installs of the code levels, so this would include counts of 0 since not all code levels are currently being used, however I feel that my current approach isn't appropriate , I've included some samples below.

First part of Search-

Search.......| stats values(code_level) as code_level list(time_on_machine) as time_on_machine by Machine_Serial
| stats dc(Machine_Serial) as installs sum(time_on_machine) by code_level

Results-

Machine_Serial                     code_level         time_on_machine

75abc                                  1.1                  365
                                       1.3                  20
                                       1.4                  50 

75dfe                                  1.1                  10
                                       1.3                  15
                                       1.5                  7


75xyz                                  1.3                  25
                                       1.4                  50

As mentioned above from this search I can see a historical view of the code history for machines as well as the time it spent on a machine. Essentially only the latest code level ( the one at the bottom of each group I.E the largest one ) would count as an install so for the first group ( serial 75abc ) code level 1.1 would be a current install, but 1.3 and 1.4 would not count towards installs on their respective level, however I do take their time_on_machine field and add that to the rest, so it would look something like this-

Desired Results-

    code_level         current_installs              time_on_machine_sum  
    1.1                        0                            375
    1.3                        0                            60
    1.4                        2                            100
    1.5                        1                            7

Is there any way I can achieve the current_installs portion of this search? Thank you in advance, and please let me know if something was not clear.

1 Solution

somesoni2
Revered Legend

Give this a try

 Search.......| stats values(code_level) as code_level list(time_on_machine) as time_on_machine by Machine_Serial
| eval latest_code_level=mvindex(code_level,-1)
| eval latest_time_on_machine=mvindex(time_on_machine,-1)
| eval temp=mvzip(code_level,time_on_machine,"#") | fields - code_level, time_on_machine | mvexpand temp | rex field=temp "(?<code_level>.+)#(?<time_on_machine>.+)" | fields - temp
| eval current_install=if(code_level=latest_code_level,1,0)
| stats sum(current_install) as current_install sum(time_on_machine) as time_on_machine by code_level

View solution in original post

somesoni2
Revered Legend

Give this a try

 Search.......| stats values(code_level) as code_level list(time_on_machine) as time_on_machine by Machine_Serial
| eval latest_code_level=mvindex(code_level,-1)
| eval latest_time_on_machine=mvindex(time_on_machine,-1)
| eval temp=mvzip(code_level,time_on_machine,"#") | fields - code_level, time_on_machine | mvexpand temp | rex field=temp "(?<code_level>.+)#(?<time_on_machine>.+)" | fields - temp
| eval current_install=if(code_level=latest_code_level,1,0)
| stats sum(current_install) as current_install sum(time_on_machine) as time_on_machine by code_level

raby1996
Path Finder

Worked Perfectly thank you!

P.S. one small thing there is a "(" missing after mvindex on the 3rd line

0 Karma

somesoni2
Revered Legend

Thanks for noticing the type. Just corrected it.

0 Karma

sundareshr
Legend

How about this?

Search.......| stats dc(Machine_Serial) as current_installs sum(time_on_machine) as  time_on_machine_sum by  code_level
0 Karma

raby1996
Path Finder

Hello sundareshr,
I've tried that, but this will return a count that includes code levels that are no longer on that machine so where I should get a 0 for example, I'll end up getting a value of 1 or more. Still thank you

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...