Hello all,
I've been trying to do the following for hours and seems like I need some assistance. We have a bunch of software versions in Splunk that we'd like to group by parent->child versioning. For example, I'd like my data to be grouped as shown below. If the value on the left side of the period matches, then they would be grouped together, regardless of the value on the left side of the .
. Any grouped results that don't have at least 1 parent/child event would be ignored from the results.
Valid Results - how I'd like the data to be organized/grouped
Version LastSeen
master 03/01/2016
master.1 01/01/2016
master.2 01/01/2016
master.3 01/01/2016
deploy 03/01/2016
deploy.001 01/01/2016
deploy.1 01/01/2016
deploy.2 01/01/2016
stage 03/01/2016
stage.2 01/01/2016
stage.3 01/01/2016
*Should be ignored because they don't have .
subEvents - for example preDeploy.1, postDeploy.1 etc.. *
preDeploy 03/01/2016
postDeploy 03/01/2016
devBeta 03/01/2016
Full list of events
master 03/01/2016 01/02/2016
master.1 01/01/2016 01/02/2016
master.2 01/01/2016 01/02/2016
master.3 01/01/2016 01/02/2016
deploy 03/01/2016 01/02/2016
deploy.001 01/01/2016 01/02/2016
deploy.1 01/01/2016 01/02/2016
deploy.2 01/01/2016 01/02/2016
stage 03/01/2016 01/02/2016
stage.2 01/01/2016 01/02/2016
stage.3 01/01/2016 01/02/2016
preDeploy 03/01/2016 01/02/2016
postDeploy 03/01/2016 01/02/2016
devBeta 03/01/2016 01/02/2016
xrtBeta 03/01/2016 01/02/2016
Give this a try
your base search | rex field=Version "(?<parent>\w+)\.*" | eventstats count by parent | where count>1
| stats list(Version) as Version list(LastSeen) as LastSeen by parent
Give this a try
your base search | rex field=Version "(?<parent>\w+)\.*" | eventstats count by parent | where count>1
| stats list(Version) as Version list(LastSeen) as LastSeen by parent
OMG - you made it look so simple.
That looks perfect - he would just need to add | sort parent Version
before the stats clause if he wants the order to be identical to his first example, but otherwise this is an elegant solution.