Re: How do I limit a search to everything except t...

CoryC · ‎12-05-2023

How do I grab all of the versions of Splunk EXCEPT the top 1, basically the opposite of

index=winconfig sourcetype="WMIC:InstalledProduct" Name="*UniversalForwarder*"
| top limit=1 Version
| table Version

It would be nice if there was a top limit=-1 component.

Or,

How do I negate a subsearch?

index=winconfig sourcetype="WMIC:InstalledProduct" Name="*UniversalForwarder*"
[search index=winconfig sourcetype="WMIC:InstalledProduct" Name="*UniversalForwarder*"
| top limit=1 Version
| table Version]
| dedup host, Version
| table host Name Version

I want to search for all computers with other versions of Splunk

dtburrows3 · ‎12-12-2023

I think this SPL tacked on to the end of your search will work assuming the versioning follows Semantic Versioning convention.

| stats
        dc(host) as dc_hosts
           by Version
    | eval
        major_version=mvindex(split(Version, "."), 0),
        minor_version=mvindex(split(Version, "."), 1),
        patch_version=mvindex(split(Version, "."), 2),
        minor_patch_version=mvindex(split(Version, "."), 3)
    | sort 0 -major_version, -minor_version, -patch_version, -minor_patch_version
    | fields - *_version
    | eventstats
        first(Version) as latest_version
    | where NOT 'Version'=='latest_version'

How do I limit a search to everything except the top 1

stats

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Splunk App Dev Community Updates – What’s New and What’s Next

The Latest Cisco Integrations With Splunk Platform!

Are you a member of the Splunk Community?

How do I limit a search to everything except the top 1

stats

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Splunk App Dev Community Updates – What’s New and What’s Next

The Latest Cisco Integrations With Splunk Platform!