Hello,
The table below are the results from a REST query that shows the installed Apps/TA's from various servers (4 in the example) at my site.
| rest /services/apps/local | search disabled=0 core=0| dedup title |table label title version| collect index=test sourcetype=apps:installed
The following search produces the table below with Version mismatches highlighted in red:
index=test sourcetype="apps:installed"
| fillnull value="None" version, title
| table host label title version |rename label AS AppName | sort AppNam
| host | AppName | Label | Version |
| Server1 | Add-on for VMware ESXi Logs | Splunk_TA_esxilogs | 4.1.0 |
| Server2 | Add-on for VMware ESXi Logs | Splunk_TA_esxilogs | 4.1.0 |
| Server3 | Add-on for VMware ESXi Logs | Splunk_TA_esxilogs | 4.0.0 |
| Server1 | Add-on for VMware Metrics | Splunk_TA_vmware_inframon | 4.1.0 |
| Server1 | Add-on for Virtual Center | Splunk_TA_vcenter | 4.1.0 |
| Server2 | Add-on for Virtual Center | Splunk_TA_vcenter | 4.1.0 |
| Server3 | Add-on for Virtual Center | Splunk_TA_vcenter | 4.1.0 |
| Server4 | Add-on for Virtual Center | Splunk_TA_vcenter | 4.1.0 |
| Server1 | Add-on for ontap | Splunk_TA_ontap | 3.0.0 |
| Server1 | Ansible Monitoring & Diagnostics | Ansible_Splunk | 1.2.2 |
| Server1 | Admin Authentication | all_adminauth | 0.1.0 |
| Server2 | Admin Authentication | all_adminauth | 0.1.0 |
| Server3 | Admin Authentication | all_adminauth | 1.0.0 |
| Server4 | Admin Authentication | all_adminauth | 1.0.0 |
There is no entry in the results for a server if the App/TA isn't installed.
What I am asking for help on is a search that will show the entries that are mismatched on the "Version" field based on the "AppName" field. The rows where all versions match with the AppName can be ignored.
Thank you.
