Splunk Search

Counting Number of Field Installs ( Counting Latest event only)

raby1996
Path Finder

Hi all,

I am attempting to count the number of Installs of certain code levels for field machines. Essentially I am extracting this information from some logs, and then I am listing all the code levels by machine serial, this gives me the code level history of a machine. Where I am struggling is being able to list current installs of the code levels, so this would include counts of 0 since not all code levels are currently being used, however I feel that my current approach isn't appropriate , I've included some samples below.

First part of Search-

Search.......| stats values(code_level) as code_level list(time_on_machine) as time_on_machine by Machine_Serial
| stats dc(Machine_Serial) as installs sum(time_on_machine) by code_level

Results-

Machine_Serial                     code_level         time_on_machine

75abc                                  1.1                  365
                                       1.3                  20
                                       1.4                  50 

75dfe                                  1.1                  10
                                       1.3                  15
                                       1.5                  7


75xyz                                  1.3                  25
                                       1.4                  50

As mentioned above from this search I can see a historical view of the code history for machines as well as the time it spent on a machine. Essentially only the latest code level ( the one at the bottom of each group I.E the largest one ) would count as an install so for the first group ( serial 75abc ) code level 1.1 would be a current install, but 1.3 and 1.4 would not count towards installs on their respective level, however I do take their time_on_machine field and add that to the rest, so it would look something like this-

Desired Results-

    code_level         current_installs              time_on_machine_sum  
    1.1                        0                            375
    1.3                        0                            60
    1.4                        2                            100
    1.5                        1                            7

Is there any way I can achieve the current_installs portion of this search? Thank you in advance, and please let me know if something was not clear.

1 Solution

somesoni2
SplunkTrust
SplunkTrust

Give this a try

 Search.......| stats values(code_level) as code_level list(time_on_machine) as time_on_machine by Machine_Serial
| eval latest_code_level=mvindex(code_level,-1)
| eval latest_time_on_machine=mvindex(time_on_machine,-1)
| eval temp=mvzip(code_level,time_on_machine,"#") | fields - code_level, time_on_machine | mvexpand temp | rex field=temp "(?<code_level>.+)#(?<time_on_machine>.+)" | fields - temp
| eval current_install=if(code_level=latest_code_level,1,0)
| stats sum(current_install) as current_install sum(time_on_machine) as time_on_machine by code_level

View solution in original post

somesoni2
SplunkTrust
SplunkTrust

Give this a try

 Search.......| stats values(code_level) as code_level list(time_on_machine) as time_on_machine by Machine_Serial
| eval latest_code_level=mvindex(code_level,-1)
| eval latest_time_on_machine=mvindex(time_on_machine,-1)
| eval temp=mvzip(code_level,time_on_machine,"#") | fields - code_level, time_on_machine | mvexpand temp | rex field=temp "(?<code_level>.+)#(?<time_on_machine>.+)" | fields - temp
| eval current_install=if(code_level=latest_code_level,1,0)
| stats sum(current_install) as current_install sum(time_on_machine) as time_on_machine by code_level

raby1996
Path Finder

Worked Perfectly thank you!

P.S. one small thing there is a "(" missing after mvindex on the 3rd line

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Thanks for noticing the type. Just corrected it.

0 Karma

sundareshr
Legend

How about this?

Search.......| stats dc(Machine_Serial) as current_installs sum(time_on_machine) as  time_on_machine_sum by  code_level
0 Karma

raby1996
Path Finder

Hello sundareshr,
I've tried that, but this will return a count that includes code levels that are no longer on that machine so where I should get a 0 for example, I'll end up getting a value of 1 or more. Still thank you

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...