index=testindex sourcetype=hostSoftware source="testindex://hostSoftware" host=prod1* DisplayName="anysoftware*" host=prod1* | dedup host, DisplayName | stats count(host) as #_of_Hosts_with_package by DisplayName, DisplayVersion | append [search index=testindex sourcetype=host source="testindex://hostSoftware" host=prod1*| table host | search NOT [search iindex=testindex sourcetype=hostSoftware source="testindex://hostSoftware" host=prod1* | search "DisplayName"="anysoftware*" | dedup host | table host] | rename host as Hosts_Missing_software | stats count(Hosts_Missing_software) as #_Hosts_Missing_LeostreamAgent, list(Hosts_Missing_software) as Hosts_Missing_software]
The append do not yeild all of the results due to maxout limit. So moving to multisearch.
I am trying to do same search with multisearch but not working. Any help is much appreciated. TIA
| multisearch [search index=testindex sourcetype=hostSoftware source="testindex://hostSoftware" host=prod1* | fields hos t| rename host as Hosts_raw_List | eval type="search1" ][index=testindex sourcetype=hostSoftware source="testindex://hostSoftware" host=prod1* Name="Anysoftware*" | fields host Name Version | rename host as hostwithpack | eval type="search2" ] | eval result=search1-search2.
my search1 results 12 hosts. (total number of hosts available)
search 2 results 11 hosts (Hosts with software installed)
I am looking for results like in table:
"Name" | Version | #ofhosts withsoftware | #of hosts without software | list of hosts with no software"
can anyone pls help!
TIA
why not just
index=testindex sourcetype=host source="testindex://hostSoftware" host=prod1*
| eval FoundSoftware=if(DisplayName="anysoftware*",1,0)
| chart max(FoundSoftware) by host DisplayName
That will give you a chart with 1's for each host for each software that was found, and 0 for each software not found on that host.
You can switch host
and DisplayName
if you prefer the opposite orientation.
Then you can use the above results to calculate the two pieces of information that you want.
It you want to untable the results into one record per host per DisplayName, then this command will achieve that.
| untable host DisplayName FoundSoftware
Thanks for the reply.
index=powershell sourcetype=sw_list source="powershell://cw_list" host=prod* | stats list(host)
This Query Yields 5 hosts.
Host 1
Host2
Host3
Host4
Host5
index=powershell sourcetype=sw_list source="powershell://cw_list" host=prod* packagename="Mysoftware" | stats count(host) by packagename packageversion
host packageName packageVersion
Host1 Mysoftware 1.0
Host3 Mysoftware 1.1
Host5 Mysoftware 1.0
I am looking for a Query that Yields below report:
PackageName PackageVersion Total_hosts_with_pkg Total_hosts_without ListOfHostMissingPack
Mysoftware 1.0 2 2 Host2
Mysoftware 1.1 1 Host4