Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Need to sort macOS versions
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I imported data from jamf cloud into splunk and one of the fields being returned is the operating system version. It seems to be in a x.y.z format. I am removing the last two characters to get a count of the "major" versions to get a report by count. So far this works, but I'm trying to sort by the operating system version and the sorting doesn't seem to work. This is my search:
index="endpoint_apple" sourcetype="jamf:computers" | eval Operating_System_Version_Major = substr(Operating_System_Version, 1, len(Operating_System_Version)-2) | chart count(Operating_System_Version_Major) as count by Operating_System_Version_Major | sort -Operating_System_Version_Major
The data is being returned like this:
Operating_System_Version_Major count
10.9 2
10.8 1
10.7 3
10.15 6
10.14 362
10.13 321
10.12 259
10.11 73
10.10 5
I cannot figure out why 10.7 through 10.9 are being sorted higher than 10.15. I've tried "sort -num*Operating_System_Version_Major)" with no change, and I also have alternated between "chart" and "stats" to get the count. I've also attempted to remove the eval and just sort on Operating_System_Version with the same results. I'm not really sure what I'm missing, so if someone can point me in the right direction, I'd appreciate it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@jbandautrgv,
That's because version is a string and hence it sorts in lexicographical order
Try
index="endpoint_apple" sourcetype="jamf:computers"
| eval Operating_System_Version_Major = substr(Operating_System_Version, 1, len(Operating_System_Version)-2)
| chart count(Operating_System_Version_Major) as count by Operating_System_Version_Major
| eval num=replace(version,"\.","")|sort num|fields - num
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@jbandautrgv,
That's because version is a string and hence it sorts in lexicographical order
Try
index="endpoint_apple" sourcetype="jamf:computers"
| eval Operating_System_Version_Major = substr(Operating_System_Version, 1, len(Operating_System_Version)-2)
| chart count(Operating_System_Version_Major) as count by Operating_System_Version_Major
| eval num=replace(version,"\.","")|sort num|fields - num
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you, I see what you did. I was hoping I could force splunk to treat "10.15" as a decimal and sort it like that, but what you suggested converting "10.15" to "1015" did work.
App Platform's 2025 Year in Review: A Year of Innovation, Growth, and Community
Operationalizing Entity Risk Score with Enterprise Security 8.3+
Unlock Database Monitoring with Splunk Observability Cloud
