How do I limit a search to everything except the t...

CoryC · ‎12-05-2023

How do I grab all of the versions of Splunk EXCEPT the top 1, basically the opposite of

index=winconfig sourcetype="WMIC:InstalledProduct" Name="*UniversalForwarder*"
| top limit=1 Version
| table Version

It would be nice if there was a top limit=-1 component.

Or,

How do I negate a subsearch?

index=winconfig sourcetype="WMIC:InstalledProduct" Name="*UniversalForwarder*"
[search index=winconfig sourcetype="WMIC:InstalledProduct" Name="*UniversalForwarder*"
| top limit=1 Version
| table Version]
| dedup host, Version
| table host Name Version

I want to search for all computers with other versions of Splunk

dtburrows3 · ‎12-12-2023

I think this SPL tacked on to the end of your search will work assuming the versioning follows Semantic Versioning convention.

| stats
        dc(host) as dc_hosts
           by Version
    | eval
        major_version=mvindex(split(Version, "."), 0),
        minor_version=mvindex(split(Version, "."), 1),
        patch_version=mvindex(split(Version, "."), 2),
        minor_patch_version=mvindex(split(Version, "."), 3)
    | sort 0 -major_version, -minor_version, -patch_version, -minor_patch_version
    | fields - *_version
    | eventstats
        first(Version) as latest_version
    | where NOT 'Version'=='latest_version'

How do I limit a search to everything except the top 1

stats

Splunk Search APIを使えば調査過程が残せます

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!

Join the Conversation

How do I limit a search to everything except the top 1

stats

Splunk Search APIを使えば調査過程が残せます

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!