Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to find an exclusive value based on another field

JoshuaJohn
Contributor
‎07-29-2019 03:50 PM

There are 3 fields important to this search

Application
InstalledVersion
InstalledStatus

I am trying to find devices that are missing an Application completely, (not just missing the latest version of the application)

So as an example

I made an app called Fact_Checker V.1, then I updated this application:
Fact_Checker v.2

I want to know what devices do not have the application at all

I have tried:
InstalledStatus NOT Installed -
No results (Because it checks ALL applications for the Installed status = Installed which is not what I need, I need it to show by application, some might be empty because they have zero devices with no installs but others will have a few missing the application completely)

InstalledStatus != Installed -
Shows me previous versions or new versions of the same application

Search (Application=* AND InstalledStatus NOT Installed) -
No results

The issue is I have other applications also reporting, I need this done on a per app basis.

Ie:
How many do not have any version of Fact_Checker installed?
How many do not have any version Browser_App installed?
How many do not have any version Wifi_Settings_App installed?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎07-29-2019 05:06 PM

Like this:

... | stats values(Application) AS Application BY host 
| stats list(*) AS * BY host 
| eval Application = mvappend(Application, "COUNTER") 
| stats dc(host) AS host_count BY Application
| eventstats max(host_count) AS total_host_count
| search NOT Application="COUNTER"
| eval missing_host_count = total_host_count - host_count

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎07-29-2019 05:06 PM

Like this:

... | stats values(Application) AS Application BY host 
| stats list(*) AS * BY host 
| eval Application = mvappend(Application, "COUNTER") 
| stats dc(host) AS host_count BY Application
| eventstats max(host_count) AS total_host_count
| search NOT Application="COUNTER"
| eval missing_host_count = total_host_count - host_count
0 Karma
Reply
Get Updates on the Splunk Community!

SOC4Kafka - New Kafka Connector Powered by OpenTelemetry

The new SOC4Kafka connector, built on OpenTelemetry, enables the collection of Kafka messages and forwards ...

Your Voice Matters! Help Us Shape the New Splunk Lantern Experience

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Building Momentum: Splunk Developer Program at .conf25

At Splunk, developers are at the heart of innovation. That’s why this year at .conf25, we officially launched ...