Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Where and how to exclude one of two unique values in a timechart's by clause

essklau
Path Finder
‎04-09-2014 01:35 PM

I am trying to build a timechart in 24-hr increments which shows a count of hosts by version of a software package. However, there are cases where during those 24-hr spans, more than one version is present, and this makes the below search return more hosts than I have. I only want the most recent (highest) version to be returned, but I can't make the search logic work for me.

The search is:

index=sw sourcetype=package | timechart span=24h dc(host) by version

If I add dedup to hosts before the timechart stanza, of course, I only get one event per host for the entire week. I've fumbled around with latest, and last, but haven't gotten a good outcome.

Could anyone suggest an appropriate search to take days in which two host/version combinations appear and remove the events with the lowest version number?

Thank you.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎04-09-2014 03:20 PM

This should be faster than doing sort | dedup, and doesn't rely on sortable versions:

index=sw sourcetype=package | bucket span=24h _time as day | stats latest(version) as version by host day | rename day as _time | timechart dc(host) by version

The fiddling with the temporary day field is necessary to determine the latest(version) after bucketing the _time down to whole days.

View solution in original post

Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎04-09-2014 03:20 PM

This should be faster than doing sort | dedup, and doesn't rely on sortable versions:

index=sw sourcetype=package | bucket span=24h _time as day | stats latest(version) as version by host day | rename day as _time | timechart dc(host) by version

The fiddling with the temporary day field is necessary to determine the latest(version) after bucketing the _time down to whole days.

Reply
Solved! Jump to solution

helge
Builder
‎01-15-2015 04:12 PM

VERY cool, thanks Martin!

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎04-10-2014 06:16 AM

Cool... I've promoted the comment to an answer so you can mark it as solved.

0 Karma
Reply
Solved! Jump to solution

essklau
Path Finder
‎04-10-2014 06:03 AM

Martin, tried yours with great success. Thank you.

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎04-09-2014 02:06 PM

Try this,

index=sw sourcetype=package | eventstats latest(version) as versionToUse | where version=versionToUse| timechart span=24h dc(host) by version

OR 

index=sw sourcetype=package [index=sw sourcetype=package | head 1 | table version]| timechart span=24h dc(host) by version
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎04-09-2014 02:17 PM

Since Splunk gives result in chronological order of _time, I believe first should be the one appearing on top . Best option would be to use 'latest'. Will update the answer.

0 Karma
Reply
Solved! Jump to solution

linu1988
Champion
‎04-09-2014 02:12 PM

you meant last(version) that would be the latest

0 Karma
Reply
Solved! Jump to solution

linu1988
Champion
‎04-09-2014 01:57 PM

Try this,

index=sw sourcetype=package |bucket _time span=24h|sort - version|dedup host,_time| timechart  dc(host) as host by version

Thanks

0 Karma
Reply
Get Updates on the Splunk Community!

Your Guide to Splunk Digital Experience Monitoring

A flawless digital experience isn't just an advantage, it's key to customer loyalty and business success. But ...

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

Join us on Wed, Dec 10. at 10AM PST / 1PM EST for a live webinar and demo with Splunk experts! Discover how ...