Solved: How to edit my search to compare software version ...

Aaron_Fogarty · ‎07-27-2016

HI,

I have a field called AppVersion. The field value represents the version of a piece of software.

Example AppVersion = 3.0.1

I am trying to return the most recent version of the App that a user has used.

What I have tried was to break down the value into parts and add them together. The problem with this is, if the value is 3.0.1 or 2.2.0, the summed values are the same. Also, I was only able to display the summed value of the highest version, and not the field AppVersion that I want.

index=abc sourcetype=123 User="john"  AppVersion | rex "AppVersion=(?<versionD1>\d+)" | rex "AppVersion=\d+.(?<versionD2>\d+)" | rex "AppVersion=\d+.\d+.(?<versionD3>\d+)"| eval version= versionD1 + versionD2 + versionD3 | dedup AppVersion | stats max(version) as maxVersion | fields maxVersion AppVersion

Thanks

sundareshr · ‎07-27-2016

Try this

index=abc sourcetype=123 User=*  AppVersion | rex "AppVersion=(?<versionD1>\d+)" | rex "AppVersion=\d+.(?<versionD2>\d+)" | rex "AppVersion=\d+.\d+.(?<versionD3>\d+)" | sort User -versionD1 -versionD2 -versionD3 | streamstats count by User | where count=1 | eval Version = versionD1."."versionD2.".".versionD3 | fields User Version

*OR*

index=abc sourcetype=123 User=*  AppVersion | rex "AppVersion=(?<versionD1>\d+)" | rex "AppVersion=\d+.(?<versionD2>\d+)" | rex "AppVersion=\d+.\d+.(?<versionD3>\d+)" | stats max(versionD1) as v1 max(versionD2) as v2 max(versionD3) as v3 by User | eval Version = v1."."v2.".".v3 | fields User Version

View solution in original post

sundareshr · ‎07-27-2016

Try this

index=abc sourcetype=123 User=*  AppVersion | rex "AppVersion=(?<versionD1>\d+)" | rex "AppVersion=\d+.(?<versionD2>\d+)" | rex "AppVersion=\d+.\d+.(?<versionD3>\d+)" | sort User -versionD1 -versionD2 -versionD3 | streamstats count by User | where count=1 | eval Version = versionD1."."versionD2.".".versionD3 | fields User Version

*OR*

index=abc sourcetype=123 User=*  AppVersion | rex "AppVersion=(?<versionD1>\d+)" | rex "AppVersion=\d+.(?<versionD2>\d+)" | rex "AppVersion=\d+.\d+.(?<versionD3>\d+)" | stats max(versionD1) as v1 max(versionD2) as v2 max(versionD3) as v3 by User | eval Version = v1."."v2.".".v3 | fields User Version

Aaron_Fogarty · ‎07-27-2016

The first example works great.
Thanks sundareshr

HeinzWaescher · ‎07-27-2016

Try this:

index=abc sourcetype=123 User="john"  AppVersion
| stats latest(AppVersion)

Aaron_Fogarty · ‎07-27-2016

Hey HeinzWaescher,

Thanks for the reply but this didnt work. It looks like latest() command returns the latest value by its time stamp.

HeinzWaescher · ‎07-27-2016

Yes it does, I thought that is your goal.

Aaron_Fogarty · ‎07-27-2016

No not by time but by the value of the field AppVersion. I am looking to return the latest Version of the of the software.

For Example if the values are

AppVersion = 3.0.1
and
AppVersion = 2.2.0

The latest version in this case would be 3.0.1 and that is the value I want returned.

Thanks

HeinzWaescher · ‎07-27-2016

what about

| rex field=AppVersion "(?.).(?.).(?.*)"
| eval AppVersion=a."".b."".c
| stats max(AppVersion)

Aaron_Fogarty · ‎07-27-2016

Hey HeinzWaescher ,
I could not get this to work either.
but Thanks again

How to edit my search to compare software version numbers to find the latest version?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life