Splunk Search
Highlighted

How to find an exclusive value based on another field

Contributor

There are 3 fields important to this search

Application
InstalledVersion
InstalledStatus

I am trying to find devices that are missing an Application completely, (not just missing the latest version of the application)

So as an example

I made an app called FactChecker V.1, then I updated this application:
Fact
Checker v.2

I want to know what devices do not have the application at all

I have tried:
InstalledStatus NOT Installed -
No results (Because it checks ALL applications for the Installed status = Installed which is not what I need, I need it to show by application, some might be empty because they have zero devices with no installs but others will have a few missing the application completely)

InstalledStatus != Installed -
Shows me previous versions or new versions of the same application

Search (Application=* AND InstalledStatus NOT Installed) -
No results

The issue is I have other applications also reporting, I need this done on a per app basis.

Ie:
How many do not have any version of FactChecker installed?
How many do not have any version Browser
App installed?
How many do not have any version WifiSettingsApp installed?

0 Karma
Highlighted

Re: How to find an exclusive value based on another field

Esteemed Legend

Like this:

... | stats values(Application) AS Application BY host 
| stats list(*) AS * BY host 
| eval Application = mvappend(Application, "COUNTER") 
| stats dc(host) AS host_count BY Application
| eventstats max(host_count) AS total_host_count
| search NOT Application="COUNTER"
| eval missing_host_count = total_host_count - host_count

View solution in original post

0 Karma