Splunk Search

How to edit my search to compare software version numbers to find the latest version?

Aaron_Fogarty
Path Finder

HI,

I have a field called AppVersion. The field value represents the version of a piece of software.

Example AppVersion = 3.0.1

I am trying to return the most recent version of the App that a user has used.

What I have tried was to break down the value into parts and add them together. The problem with this is, if the value is 3.0.1 or 2.2.0, the summed values are the same. Also, I was only able to display the summed value of the highest version, and not the field AppVersion that I want.

index=abc sourcetype=123 User="john"  AppVersion | rex "AppVersion=(?<versionD1>\d+)" | rex "AppVersion=\d+.(?<versionD2>\d+)" | rex "AppVersion=\d+.\d+.(?<versionD3>\d+)"| eval version= versionD1 + versionD2 + versionD3 | dedup AppVersion | stats max(version) as maxVersion | fields maxVersion AppVersion

Thanks

0 Karma
1 Solution

sundareshr
Legend

Try this

index=abc sourcetype=123 User=*  AppVersion | rex "AppVersion=(?<versionD1>\d+)" | rex "AppVersion=\d+.(?<versionD2>\d+)" | rex "AppVersion=\d+.\d+.(?<versionD3>\d+)" | sort User -versionD1 -versionD2 -versionD3 | streamstats count by User | where count=1 | eval Version = versionD1."."versionD2.".".versionD3 | fields User Version

*OR*

index=abc sourcetype=123 User=*  AppVersion | rex "AppVersion=(?<versionD1>\d+)" | rex "AppVersion=\d+.(?<versionD2>\d+)" | rex "AppVersion=\d+.\d+.(?<versionD3>\d+)" | stats max(versionD1) as v1 max(versionD2) as v2 max(versionD3) as v3 by User | eval Version = v1."."v2.".".v3 | fields User Version

View solution in original post

0 Karma

sundareshr
Legend

Try this

index=abc sourcetype=123 User=*  AppVersion | rex "AppVersion=(?<versionD1>\d+)" | rex "AppVersion=\d+.(?<versionD2>\d+)" | rex "AppVersion=\d+.\d+.(?<versionD3>\d+)" | sort User -versionD1 -versionD2 -versionD3 | streamstats count by User | where count=1 | eval Version = versionD1."."versionD2.".".versionD3 | fields User Version

*OR*

index=abc sourcetype=123 User=*  AppVersion | rex "AppVersion=(?<versionD1>\d+)" | rex "AppVersion=\d+.(?<versionD2>\d+)" | rex "AppVersion=\d+.\d+.(?<versionD3>\d+)" | stats max(versionD1) as v1 max(versionD2) as v2 max(versionD3) as v3 by User | eval Version = v1."."v2.".".v3 | fields User Version
0 Karma

Aaron_Fogarty
Path Finder

The first example works great.
Thanks sundareshr

0 Karma

HeinzWaescher
Motivator

Try this:

index=abc sourcetype=123 User="john"  AppVersion
| stats latest(AppVersion)
0 Karma

Aaron_Fogarty
Path Finder

Hey HeinzWaescher,

Thanks for the reply but this didnt work. It looks like latest() command returns the latest value by its time stamp.

0 Karma

HeinzWaescher
Motivator

Yes it does, I thought that is your goal.

0 Karma

Aaron_Fogarty
Path Finder

No not by time but by the value of the field AppVersion. I am looking to return the latest Version of the of the software.

For Example if the values are

AppVersion = 3.0.1
and
AppVersion = 2.2.0

The latest version in this case would be 3.0.1 and that is the value I want returned.

Thanks

0 Karma

HeinzWaescher
Motivator

what about

| rex field=AppVersion "(?.).(?.).(?.*)"
| eval AppVersion=a."".b."".c
| stats max(AppVersion)

0 Karma

Aaron_Fogarty
Path Finder

Hey HeinzWaescher ,
I could not get this to work either.
but Thanks again

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...