Splunk Search

How to find an exclusive value based on another field

JoshuaJohn
Contributor

There are 3 fields important to this search

Application
InstalledVersion
InstalledStatus

I am trying to find devices that are missing an Application completely, (not just missing the latest version of the application)

So as an example

I made an app called Fact_Checker V.1, then I updated this application:
Fact_Checker v.2

I want to know what devices do not have the application at all

I have tried:
InstalledStatus NOT Installed -
No results (Because it checks ALL applications for the Installed status = Installed which is not what I need, I need it to show by application, some might be empty because they have zero devices with no installs but others will have a few missing the application completely)

InstalledStatus != Installed -
Shows me previous versions or new versions of the same application

Search (Application=* AND InstalledStatus NOT Installed) -
No results

The issue is I have other applications also reporting, I need this done on a per app basis.

Ie:
How many do not have any version of Fact_Checker installed?
How many do not have any version Browser_App installed?
How many do not have any version Wifi_Settings_App installed?

0 Karma
1 Solution

woodcock
Esteemed Legend

Like this:

... | stats values(Application) AS Application BY host 
| stats list(*) AS * BY host 
| eval Application = mvappend(Application, "COUNTER") 
| stats dc(host) AS host_count BY Application
| eventstats max(host_count) AS total_host_count
| search NOT Application="COUNTER"
| eval missing_host_count = total_host_count - host_count

View solution in original post

0 Karma

woodcock
Esteemed Legend

Like this:

... | stats values(Application) AS Application BY host 
| stats list(*) AS * BY host 
| eval Application = mvappend(Application, "COUNTER") 
| stats dc(host) AS host_count BY Application
| eventstats max(host_count) AS total_host_count
| search NOT Application="COUNTER"
| eval missing_host_count = total_host_count - host_count
0 Karma
Get Updates on the Splunk Community!

How to Get Started with Splunk Data Management Pipeline Builders (Edge Processor & ...

If you want to gain full control over your growing data volumes, check out Splunk’s Data Management pipeline ...

Out of the Box to Up And Running - Streamlined Observability for Your Cloud ...

  Tech Talk Streamlined Observability for Your Cloud Environment Register    Out of the Box to Up And Running ...

Splunk Smartness with Brandon Sternfield | Episode 3

Hello and welcome to another episode of "Splunk Smartness," the interview series where we explore the power of ...