Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Counting Number of Field Installs ( Counting Latest event only)

raby1996
Path Finder
‎07-25-2016 09:19 AM

Hi all,

I am attempting to count the number of Installs of certain code levels for field machines. Essentially I am extracting this information from some logs, and then I am listing all the code levels by machine serial, this gives me the code level history of a machine. Where I am struggling is being able to list current installs of the code levels, so this would include counts of 0 since not all code levels are currently being used, however I feel that my current approach isn't appropriate , I've included some samples below.

First part of Search-

Search.......| stats values(code_level) as code_level list(time_on_machine) as time_on_machine by Machine_Serial
| stats dc(Machine_Serial) as installs sum(time_on_machine) by code_level

Results- 

Machine_Serial                     code_level         time_on_machine

75abc                                  1.1                  365
                                       1.3                  20
                                       1.4                  50 

75dfe                                  1.1                  10
                                       1.3                  15
                                       1.5                  7


75xyz                                  1.3                  25
                                       1.4                  50

As mentioned above from this search I can see a historical view of the code history for machines as well as the time it spent on a machine. Essentially only the latest code level ( the one at the bottom of each group I.E the largest one ) would count as an install so for the first group ( serial 75abc ) code level 1.1 would be a current install, but 1.3 and 1.4 would not count towards installs on their respective level, however I do take their time_on_machine field and add that to the rest, so it would look something like this-

Desired Results-

    code_level         current_installs              time_on_machine_sum  
    1.1                        0                            375
    1.3                        0                            60
    1.4                        2                            100
    1.5                        1                            7

Is there any way I can achieve the current_installs portion of this search? Thank you in advance, and please let me know if something was not clear.

Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎07-25-2016 11:33 AM

Give this a try

 Search.......| stats values(code_level) as code_level list(time_on_machine) as time_on_machine by Machine_Serial
| eval latest_code_level=mvindex(code_level,-1)
| eval latest_time_on_machine=mvindex(time_on_machine,-1)
| eval temp=mvzip(code_level,time_on_machine,"#") | fields - code_level, time_on_machine | mvexpand temp | rex field=temp "(?<code_level>.+)#(?<time_on_machine>.+)" | fields - temp
| eval current_install=if(code_level=latest_code_level,1,0)
| stats sum(current_install) as current_install sum(time_on_machine) as time_on_machine by code_level

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎07-25-2016 11:33 AM

Give this a try

 Search.......| stats values(code_level) as code_level list(time_on_machine) as time_on_machine by Machine_Serial
| eval latest_code_level=mvindex(code_level,-1)
| eval latest_time_on_machine=mvindex(time_on_machine,-1)
| eval temp=mvzip(code_level,time_on_machine,"#") | fields - code_level, time_on_machine | mvexpand temp | rex field=temp "(?<code_level>.+)#(?<time_on_machine>.+)" | fields - temp
| eval current_install=if(code_level=latest_code_level,1,0)
| stats sum(current_install) as current_install sum(time_on_machine) as time_on_machine by code_level
Reply
Solved! Jump to solution

raby1996
Path Finder
‎07-25-2016 01:29 PM

Worked Perfectly thank you!

P.S. one small thing there is a "(" missing after mvindex on the 3rd line

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎07-25-2016 01:53 PM

Thanks for noticing the type. Just corrected it.

0 Karma
Reply
Solved! Jump to solution

sundareshr
Legend
‎07-25-2016 10:21 AM

How about this?

Search.......| stats dc(Machine_Serial) as current_installs sum(time_on_machine) as  time_on_machine_sum by  code_level
0 Karma
Reply
Solved! Jump to solution

raby1996
Path Finder
‎07-25-2016 10:24 AM

Hello sundareshr,
I've tried that, but this will return a count that includes code levels that are no longer on that machine so where I should get a 0 for example, I'll end up getting a value of 1 or more. Still thank you

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...