Splunk Search
Highlighted

How to edit my search to compare software version numbers to find the latest version?

Path Finder

HI,

I have a field called AppVersion. The field value represents the version of a piece of software.

Example AppVersion = 3.0.1

I am trying to return the most recent version of the App that a user has used.

What I have tried was to break down the value into parts and add them together. The problem with this is, if the value is 3.0.1 or 2.2.0, the summed values are the same. Also, I was only able to display the summed value of the highest version, and not the field AppVersion that I want.

index=abc sourcetype=123 User="john"  AppVersion | rex "AppVersion=(?<versionD1>\d+)" | rex "AppVersion=\d+.(?<versionD2>\d+)" | rex "AppVersion=\d+.\d+.(?<versionD3>\d+)"| eval version= versionD1 + versionD2 + versionD3 | dedup AppVersion | stats max(version) as maxVersion | fields maxVersion AppVersion

Thanks

0 Karma
Highlighted

Re: How to edit my search to compare software version numbers to find the latest version?

Motivator

Try this:

index=abc sourcetype=123 User="john"  AppVersion
| stats latest(AppVersion)
0 Karma
Highlighted

Re: How to edit my search to compare software version numbers to find the latest version?

Path Finder

Hey HeinzWaescher,

Thanks for the reply but this didnt work. It looks like latest() command returns the latest value by its time stamp.

0 Karma
Highlighted

Re: How to edit my search to compare software version numbers to find the latest version?

Motivator

Yes it does, I thought that is your goal.

0 Karma
Highlighted

Re: How to edit my search to compare software version numbers to find the latest version?

Path Finder

No not by time but by the value of the field AppVersion. I am looking to return the latest Version of the of the software.

For Example if the values are

AppVersion = 3.0.1
and
AppVersion = 2.2.0

The latest version in this case would be 3.0.1 and that is the value I want returned.

Thanks

0 Karma
Highlighted

Re: How to edit my search to compare software version numbers to find the latest version?

Motivator

what about

| rex field=AppVersion "(?.).(?.).(?.*)"
| eval AppVersion=a."".b."".c
| stats max(AppVersion)

0 Karma
Highlighted

Re: How to edit my search to compare software version numbers to find the latest version?

Path Finder

Hey HeinzWaescher ,
I could not get this to work either.
but Thanks again

0 Karma
Highlighted

Re: How to edit my search to compare software version numbers to find the latest version?

Legend

Try this

index=abc sourcetype=123 User=*  AppVersion | rex "AppVersion=(?<versionD1>\d+)" | rex "AppVersion=\d+.(?<versionD2>\d+)" | rex "AppVersion=\d+.\d+.(?<versionD3>\d+)" | sort User -versionD1 -versionD2 -versionD3 | streamstats count by User | where count=1 | eval Version = versionD1."."versionD2.".".versionD3 | fields User Version

*OR*

index=abc sourcetype=123 User=*  AppVersion | rex "AppVersion=(?<versionD1>\d+)" | rex "AppVersion=\d+.(?<versionD2>\d+)" | rex "AppVersion=\d+.\d+.(?<versionD3>\d+)" | stats max(versionD1) as v1 max(versionD2) as v2 max(versionD3) as v3 by User | eval Version = v1."."v2.".".v3 | fields User Version

View solution in original post

0 Karma
Highlighted

Re: How to edit my search to compare software version numbers to find the latest version?

Path Finder

The first example works great.
Thanks sundareshr

0 Karma