Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Where and how to exclude one of two unique values in a timechart's by clause

essklau
Path Finder
‎04-09-2014 01:35 PM

I am trying to build a timechart in 24-hr increments which shows a count of hosts by version of a software package. However, there are cases where during those 24-hr spans, more than one version is present, and this makes the below search return more hosts than I have. I only want the most recent (highest) version to be returned, but I can't make the search logic work for me.

The search is:

index=sw sourcetype=package | timechart span=24h dc(host) by version

If I add dedup to hosts before the timechart stanza, of course, I only get one event per host for the entire week. I've fumbled around with latest, and last, but haven't gotten a good outcome.

Could anyone suggest an appropriate search to take days in which two host/version combinations appear and remove the events with the lowest version number?

Thank you.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎04-09-2014 03:20 PM

This should be faster than doing sort | dedup, and doesn't rely on sortable versions:

index=sw sourcetype=package | bucket span=24h _time as day | stats latest(version) as version by host day | rename day as _time | timechart dc(host) by version

The fiddling with the temporary day field is necessary to determine the latest(version) after bucketing the _time down to whole days.

View solution in original post

Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎04-09-2014 03:20 PM

This should be faster than doing sort | dedup, and doesn't rely on sortable versions:

index=sw sourcetype=package | bucket span=24h _time as day | stats latest(version) as version by host day | rename day as _time | timechart dc(host) by version

The fiddling with the temporary day field is necessary to determine the latest(version) after bucketing the _time down to whole days.

Reply
Solved! Jump to solution

helge
Builder
‎01-15-2015 04:12 PM

VERY cool, thanks Martin!

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎04-10-2014 06:16 AM

Cool... I've promoted the comment to an answer so you can mark it as solved.

0 Karma
Reply
Solved! Jump to solution

essklau
Path Finder
‎04-10-2014 06:03 AM

Martin, tried yours with great success. Thank you.

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎04-09-2014 02:06 PM

Try this,

index=sw sourcetype=package | eventstats latest(version) as versionToUse | where version=versionToUse| timechart span=24h dc(host) by version

OR 

index=sw sourcetype=package [index=sw sourcetype=package | head 1 | table version]| timechart span=24h dc(host) by version
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎04-09-2014 02:17 PM

Since Splunk gives result in chronological order of _time, I believe first should be the one appearing on top . Best option would be to use 'latest'. Will update the answer.

0 Karma
Reply
Solved! Jump to solution

linu1988
Champion
‎04-09-2014 02:12 PM

you meant last(version) that would be the latest

0 Karma
Reply
Solved! Jump to solution

linu1988
Champion
‎04-09-2014 01:57 PM

Try this,

index=sw sourcetype=package |bucket _time span=24h|sort - version|dedup host,_time| timechart  dc(host) as host by version

Thanks

0 Karma
Reply
Get Updates on the Splunk Community!

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...

Adoption of Infrastructure Monitoring at Splunk

  Splunk's Growth Engineering team showcases one of their first Splunk product adoption-Splunk Infrastructure ...