Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Software Versions not comparing correctly

Abe_T
Explorer
‎09-27-2021 01:29 PM

I am sure I am sure I am missing something easy but, for some reason, when I compare these two values (they are in string format from my data) the comparison isn't correct. I don't seem to have this issue when I use this EVAL statement with other versions I have, but for some reason, this comparison just throws it out of whack:

 

 

 

| eval Status=case("21.3.0.44"<"5.5.5.0","Declining","21.3.0.44"="5.5.5.0","Mainstream","21.3.0.44">"5.5.5.0","Emerging")

 

 

The result just shows "21.3.0.44" as always less-than. Please advise if I am missing some caveat I am not aware of. P.S. I tried converting to these to numbers but due to all the decimals in version numbers, the number isn't valid. I suppose I could replace the decimals somehow but thought I would ask first before I try going down this route.

Thanks in Advance!

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎09-29-2021 03:33 PM

@Abe_T 

Good pick! There was a final case statement missing where a part equals the same part of the other version, in which case State became null, having already been set. Should have been

| makeresults
| eval testVersion=split("5.5.5.0;21.3.0.44;21.1.0.133", ";"), myVersion=split("21.3.0.44;5.5.5.0;4.18.19.216;7.999.1.4;5.5.1.3;7.5.5.0;3.5.5.0;104.99.1.1",";")
| mvexpand myVersion
| mvexpand testVersion
| eval testParts=split(testVersion,"."), myParts=split(myVersion,".")
| foreach 0 1 2 3 [ eval tp=mvindex(testParts,<<FIELD>>), mp=mvindex(myParts,<<FIELD>>), State=case(mp<tp, coalesce(State,"Declining"), mp>tp, coalesce(State, "Emerging"), 1==1, State) ]
| fillnull State value="Mainstream"
| table myVersion testVersion State
| sort testVersion

i.e. add in the final case (1==1, State)

I added your test case in the above, which seems to handle all cases now - so you just need that single foreach line and the fillnull following. (I have removed you 'currentState' var).

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎09-29-2021 11:40 PM

Ahhh. I knew there must be a "splunky" (i.e. non-iterative) version. Took me a while but here it is.

| makeresults 
| eval ver1="1.4.4.1", ver2="1.4.4"
| eval ver1split=split(ver1,"."), ver2split=split(ver2,".") 
| eval vercombined=mvzip(ver1split,ver2split)
| eval verdiffs=mvmap(vercombined,tonumber(mvindex(split(vercombined,","),0,0))-tonumber(mvindex(split(vercombined,","),1,1)))
| eval verdiffpos=mvfind(verdiffs,"^[^0]")
| eval verdiffval=mvindex(verdiffs,verdiffpos,verdiffpos)
| eval verdiffsign=case(verdiffval>0,-1,verdiffval<0,1,1=1,0)
| eval verresult=if(isnotnull(verdiffpos),verdiffsign,case(mvcount(ver1split)>mvcount(ver2split),-1,mvcount(ver1split)<mvcount(ver2split),1,1=1,0))

It's ugly as hell but it works for any length of version numbers and doesn't use any iterative features (foreach, map or anything like that). Works only on multivalue fields.

It compares version numbers by finding an index on which one "number" differs from the other. If both are "equal" but one of them has additional components at the end, it's considered a higher version number.

So "1.0.2">"1.0.2", "2.0.1">"1.0.4.2.12", but "1.0.1.2">"1.0.1"

Returns -1 if ver1>ver2, 1 if ver1<ver2 or 0 if they are equal

Two remarks:

1) Can be reworked to use less pipes and less intermediate fields but it'd get sooooo ugly...

2) As a nice side-effect, if you add another base to tonumber() calls, you can compare non-decimal numbered versions.

0 Karma
Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
‎09-27-2021 03:56 PM

String comparisons are always lexographic, i.e. 21 is always less than 5 as the string 2 is less than the string 5. If you were to compare the strings 21 with 05 then 21 would be > than 05.

To handle version number comparisons would need something like this (sets up an example data set then does the comparisons - paste this search into the search window)

| makeresults
| eval testVersion="5.5.5.0", myVersion=split("21.3.0.44;5.5.5.0;4.18.19.216;7.999.1.4;5.5.1.3",";")
| mvexpand myVersion
| eval testParts=split(testVersion,"."), myParts=split(myVersion,".")
| foreach 0 1 2 3 [ eval tp=mvindex(testParts,<<FIELD>>), mp=mvindex(myParts,<<FIELD>>), State=case(mp<tp, coalesce(State,"Declining"), mp>tp, coalesce(State, "Emerging")) ]
| fillnull State value="Mainstream"
| table myVersion testVersion State

i.e 4 test versions. This will

  • split the version into its 4 component parts
  • compare each part from your version to the test version and set the state accordingly
    • Note that this ONLY checks less than and greater than
    • the coalesce statement will ensure that only the first state is recognised
  • finally if no State is set, all parts must have been equal, so it's Mainstream

Note that foreach will perform checks for 4 parts. If your versions have different numbers of parts, then it will have to work differently.

 

0 Karma
Reply
Solved! Jump to solution

Abe_T
Explorer
‎09-29-2021 12:08 PM

Thank you so much, this is great! Any thoughts on how to easily do a "05" to "21" comparison? I have to account for these still, even with your great solution, because we are encountering situations where the last part of the version number are misreading still. Is there a way in Splunk to check if it's more than 1 digit string to force it to compare as a number? I'm fairly new to Splunk so I am not sure how that would look.

 

Example of issue (should be "Declining"):

| makeresults
| eval testVersion="21.1.0.133", myVersion=split("5.5.0.144",";")
| mvexpand myVersion
| eval testParts=split(testVersion,"."), myParts=split(myVersion,".")
| foreach 0 1 2 3 [ eval tp=mvindex(testParts,<<FIELD>>), mp=mvindex(myParts,<<FIELD>>), State=case(mp<tp, coalesce(State,"Declining"), mp>tp, coalesce(State, "Emerging")) 
    | eval currentState = if(isnull(State),currentState, State)]
| fillnull currentState value="Mainstream"
| table myVersion testVersion currentState

Thanks in advance

0 Karma
Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎09-29-2021 03:33 PM

@Abe_T 

Good pick! There was a final case statement missing where a part equals the same part of the other version, in which case State became null, having already been set. Should have been

| makeresults
| eval testVersion=split("5.5.5.0;21.3.0.44;21.1.0.133", ";"), myVersion=split("21.3.0.44;5.5.5.0;4.18.19.216;7.999.1.4;5.5.1.3;7.5.5.0;3.5.5.0;104.99.1.1",";")
| mvexpand myVersion
| mvexpand testVersion
| eval testParts=split(testVersion,"."), myParts=split(myVersion,".")
| foreach 0 1 2 3 [ eval tp=mvindex(testParts,<<FIELD>>), mp=mvindex(myParts,<<FIELD>>), State=case(mp<tp, coalesce(State,"Declining"), mp>tp, coalesce(State, "Emerging"), 1==1, State) ]
| fillnull State value="Mainstream"
| table myVersion testVersion State
| sort testVersion

i.e. add in the final case (1==1, State)

I added your test case in the above, which seems to handle all cases now - so you just need that single foreach line and the fillnull following. (I have removed you 'currentState' var).

 

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎09-30-2021 11:13 AM

Unfortunately, you're limited to harcoded limit of 4 segments in the version number.

And in case of versions of different length but with one being a prefix of the other (like 1.1.0 and 1.1.0.2) it treats them as equal versions.

0 Karma
Reply
Solved! Jump to solution

Abe_T
Explorer
‎09-30-2021 10:17 AM

This works great! I'll mark this as resolved. Just a question on the logic so I understand:

  • You're moving from left to right checking if each element is greater or less than.
  • Then based off the last value of State in the foreach statement, you are determining if the whole thing is Emerging or Declining?

Let me know if I am misunderstanding.

Thanks in advance.

 

 

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...