Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to find an exclusive value based on another field

JoshuaJohn
Contributor
‎07-29-2019 03:50 PM

There are 3 fields important to this search

Application
InstalledVersion
InstalledStatus

I am trying to find devices that are missing an Application completely, (not just missing the latest version of the application)

So as an example

I made an app called Fact_Checker V.1, then I updated this application:
Fact_Checker v.2

I want to know what devices do not have the application at all

I have tried:
InstalledStatus NOT Installed -
No results (Because it checks ALL applications for the Installed status = Installed which is not what I need, I need it to show by application, some might be empty because they have zero devices with no installs but others will have a few missing the application completely)

InstalledStatus != Installed -
Shows me previous versions or new versions of the same application

Search (Application=* AND InstalledStatus NOT Installed) -
No results

The issue is I have other applications also reporting, I need this done on a per app basis.

Ie:
How many do not have any version of Fact_Checker installed?
How many do not have any version Browser_App installed?
How many do not have any version Wifi_Settings_App installed?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎07-29-2019 05:06 PM

Like this:

... | stats values(Application) AS Application BY host 
| stats list(*) AS * BY host 
| eval Application = mvappend(Application, "COUNTER") 
| stats dc(host) AS host_count BY Application
| eventstats max(host_count) AS total_host_count
| search NOT Application="COUNTER"
| eval missing_host_count = total_host_count - host_count

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎07-29-2019 05:06 PM

Like this:

... | stats values(Application) AS Application BY host 
| stats list(*) AS * BY host 
| eval Application = mvappend(Application, "COUNTER") 
| stats dc(host) AS host_count BY Application
| eventstats max(host_count) AS total_host_count
| search NOT Application="COUNTER"
| eval missing_host_count = total_host_count - host_count
0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...