Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to find an exclusive value based on another field

JoshuaJohn
Contributor
‎07-29-2019 03:50 PM

There are 3 fields important to this search

Application
InstalledVersion
InstalledStatus

I am trying to find devices that are missing an Application completely, (not just missing the latest version of the application)

So as an example

I made an app called Fact_Checker V.1, then I updated this application:
Fact_Checker v.2

I want to know what devices do not have the application at all

I have tried:
InstalledStatus NOT Installed -
No results (Because it checks ALL applications for the Installed status = Installed which is not what I need, I need it to show by application, some might be empty because they have zero devices with no installs but others will have a few missing the application completely)

InstalledStatus != Installed -
Shows me previous versions or new versions of the same application

Search (Application=* AND InstalledStatus NOT Installed) -
No results

The issue is I have other applications also reporting, I need this done on a per app basis.

Ie:
How many do not have any version of Fact_Checker installed?
How many do not have any version Browser_App installed?
How many do not have any version Wifi_Settings_App installed?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎07-29-2019 05:06 PM

Like this:

... | stats values(Application) AS Application BY host 
| stats list(*) AS * BY host 
| eval Application = mvappend(Application, "COUNTER") 
| stats dc(host) AS host_count BY Application
| eventstats max(host_count) AS total_host_count
| search NOT Application="COUNTER"
| eval missing_host_count = total_host_count - host_count

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎07-29-2019 05:06 PM

Like this:

... | stats values(Application) AS Application BY host 
| stats list(*) AS * BY host 
| eval Application = mvappend(Application, "COUNTER") 
| stats dc(host) AS host_count BY Application
| eventstats max(host_count) AS total_host_count
| search NOT Application="COUNTER"
| eval missing_host_count = total_host_count - host_count
0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...