Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Where and how to exclude one of two unique values in a timechart's by clause

essklau
Path Finder
‎04-09-2014 01:35 PM

I am trying to build a timechart in 24-hr increments which shows a count of hosts by version of a software package. However, there are cases where during those 24-hr spans, more than one version is present, and this makes the below search return more hosts than I have. I only want the most recent (highest) version to be returned, but I can't make the search logic work for me.

The search is:

index=sw sourcetype=package | timechart span=24h dc(host) by version

If I add dedup to hosts before the timechart stanza, of course, I only get one event per host for the entire week. I've fumbled around with latest, and last, but haven't gotten a good outcome.

Could anyone suggest an appropriate search to take days in which two host/version combinations appear and remove the events with the lowest version number?

Thank you.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎04-09-2014 03:20 PM

This should be faster than doing sort | dedup, and doesn't rely on sortable versions:

index=sw sourcetype=package | bucket span=24h _time as day | stats latest(version) as version by host day | rename day as _time | timechart dc(host) by version

The fiddling with the temporary day field is necessary to determine the latest(version) after bucketing the _time down to whole days.

View solution in original post

Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎04-09-2014 03:20 PM

This should be faster than doing sort | dedup, and doesn't rely on sortable versions:

index=sw sourcetype=package | bucket span=24h _time as day | stats latest(version) as version by host day | rename day as _time | timechart dc(host) by version

The fiddling with the temporary day field is necessary to determine the latest(version) after bucketing the _time down to whole days.

Reply
Solved! Jump to solution

helge
Builder
‎01-15-2015 04:12 PM

VERY cool, thanks Martin!

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎04-10-2014 06:16 AM

Cool... I've promoted the comment to an answer so you can mark it as solved.

0 Karma
Reply
Solved! Jump to solution

essklau
Path Finder
‎04-10-2014 06:03 AM

Martin, tried yours with great success. Thank you.

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎04-09-2014 02:06 PM

Try this,

index=sw sourcetype=package | eventstats latest(version) as versionToUse | where version=versionToUse| timechart span=24h dc(host) by version

OR 

index=sw sourcetype=package [index=sw sourcetype=package | head 1 | table version]| timechart span=24h dc(host) by version
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎04-09-2014 02:17 PM

Since Splunk gives result in chronological order of _time, I believe first should be the one appearing on top . Best option would be to use 'latest'. Will update the answer.

0 Karma
Reply
Solved! Jump to solution

linu1988
Champion
‎04-09-2014 02:12 PM

you meant last(version) that would be the latest

0 Karma
Reply
Solved! Jump to solution

linu1988
Champion
‎04-09-2014 01:57 PM

Try this,

index=sw sourcetype=package |bucket _time span=24h|sort - version|dedup host,_time| timechart  dc(host) as host by version

Thanks

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...