How do I limit a search to everything except the t...

CoryC · ‎12-05-2023

How do I grab all of the versions of Splunk EXCEPT the top 1, basically the opposite of

index=winconfig sourcetype="WMIC:InstalledProduct" Name="*UniversalForwarder*"
| top limit=1 Version
| table Version

It would be nice if there was a top limit=-1 component.

Or,

How do I negate a subsearch?

index=winconfig sourcetype="WMIC:InstalledProduct" Name="*UniversalForwarder*"
[search index=winconfig sourcetype="WMIC:InstalledProduct" Name="*UniversalForwarder*"
| top limit=1 Version
| table Version]
| dedup host, Version
| table host Name Version

I want to search for all computers with other versions of Splunk

dtburrows3 · ‎12-12-2023

I think this SPL tacked on to the end of your search will work assuming the versioning follows Semantic Versioning convention.

| stats
        dc(host) as dc_hosts
           by Version
    | eval
        major_version=mvindex(split(Version, "."), 0),
        minor_version=mvindex(split(Version, "."), 1),
        patch_version=mvindex(split(Version, "."), 2),
        minor_patch_version=mvindex(split(Version, "."), 3)
    | sort 0 -major_version, -minor_version, -patch_version, -minor_patch_version
    | fields - *_version
    | eventstats
        first(Version) as latest_version
    | where NOT 'Version'=='latest_version'

How do I limit a search to everything except the top 1

stats

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you a member of the Splunk Community?