How do I limit a search to everything except the t...

CoryC · ‎12-05-2023

How do I grab all of the versions of Splunk EXCEPT the top 1, basically the opposite of

index=winconfig sourcetype="WMIC:InstalledProduct" Name="*UniversalForwarder*"
| top limit=1 Version
| table Version

It would be nice if there was a top limit=-1 component.

Or,

How do I negate a subsearch?

index=winconfig sourcetype="WMIC:InstalledProduct" Name="*UniversalForwarder*"
[search index=winconfig sourcetype="WMIC:InstalledProduct" Name="*UniversalForwarder*"
| top limit=1 Version
| table Version]
| dedup host, Version
| table host Name Version

I want to search for all computers with other versions of Splunk

dtburrows3 · ‎12-12-2023

I think this SPL tacked on to the end of your search will work assuming the versioning follows Semantic Versioning convention.

| stats
        dc(host) as dc_hosts
           by Version
    | eval
        major_version=mvindex(split(Version, "."), 0),
        minor_version=mvindex(split(Version, "."), 1),
        patch_version=mvindex(split(Version, "."), 2),
        minor_patch_version=mvindex(split(Version, "."), 3)
    | sort 0 -major_version, -minor_version, -patch_version, -minor_patch_version
    | fields - *_version
    | eventstats
        first(Version) as latest_version
    | where NOT 'Version'=='latest_version'

How do I limit a search to everything except the top 1

stats

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability

Join the Conversation