There are 3 fields important to this search
Application
InstalledVersion
InstalledStatus
I am trying to find devices that are missing an Application completely, (not just missing the latest version of the application)
So as an example
I made an app called Fact_Checker V.1, then I updated this application:
Fact_Checker v.2
I want to know what devices do not have the application at all
I have tried:
InstalledStatus NOT Installed -
No results (Because it checks ALL applications for the Installed status = Installed which is not what I need, I need it to show by application, some might be empty because they have zero devices with no installs but others will have a few missing the application completely)
InstalledStatus != Installed -
Shows me previous versions or new versions of the same application
Search (Application=* AND InstalledStatus NOT Installed) -
No results
The issue is I have other applications also reporting, I need this done on a per app basis.
Ie:
How many do not have any version of Fact_Checker installed?
How many do not have any version Browser_App installed?
How many do not have any version Wifi_Settings_App installed?
Like this:
... | stats values(Application) AS Application BY host
| stats list(*) AS * BY host
| eval Application = mvappend(Application, "COUNTER")
| stats dc(host) AS host_count BY Application
| eventstats max(host_count) AS total_host_count
| search NOT Application="COUNTER"
| eval missing_host_count = total_host_count - host_count
Like this:
... | stats values(Application) AS Application BY host
| stats list(*) AS * BY host
| eval Application = mvappend(Application, "COUNTER")
| stats dc(host) AS host_count BY Application
| eventstats max(host_count) AS total_host_count
| search NOT Application="COUNTER"
| eval missing_host_count = total_host_count - host_count