HI,
I have a field called AppVersion. The field value represents the version of a piece of software.
Example AppVersion = 3.0.1
I am trying to return the most recent version of the App that a user has used.
What I have tried was to break down the value into parts and add them together. The problem with this is, if the value is 3.0.1 or 2.2.0, the summed values are the same. Also, I was only able to display the summed value of the highest version, and not the field AppVersion that I want.
index=abc sourcetype=123 User="john" AppVersion | rex "AppVersion=(?<versionD1>\d+)" | rex "AppVersion=\d+.(?<versionD2>\d+)" | rex "AppVersion=\d+.\d+.(?<versionD3>\d+)"| eval version= versionD1 + versionD2 + versionD3 | dedup AppVersion | stats max(version) as maxVersion | fields maxVersion AppVersion
Thanks
Try this
index=abc sourcetype=123 User=* AppVersion | rex "AppVersion=(?<versionD1>\d+)" | rex "AppVersion=\d+.(?<versionD2>\d+)" | rex "AppVersion=\d+.\d+.(?<versionD3>\d+)" | sort User -versionD1 -versionD2 -versionD3 | streamstats count by User | where count=1 | eval Version = versionD1."."versionD2.".".versionD3 | fields User Version
*OR*
index=abc sourcetype=123 User=* AppVersion | rex "AppVersion=(?<versionD1>\d+)" | rex "AppVersion=\d+.(?<versionD2>\d+)" | rex "AppVersion=\d+.\d+.(?<versionD3>\d+)" | stats max(versionD1) as v1 max(versionD2) as v2 max(versionD3) as v3 by User | eval Version = v1."."v2.".".v3 | fields User Version
Try this
index=abc sourcetype=123 User=* AppVersion | rex "AppVersion=(?<versionD1>\d+)" | rex "AppVersion=\d+.(?<versionD2>\d+)" | rex "AppVersion=\d+.\d+.(?<versionD3>\d+)" | sort User -versionD1 -versionD2 -versionD3 | streamstats count by User | where count=1 | eval Version = versionD1."."versionD2.".".versionD3 | fields User Version
*OR*
index=abc sourcetype=123 User=* AppVersion | rex "AppVersion=(?<versionD1>\d+)" | rex "AppVersion=\d+.(?<versionD2>\d+)" | rex "AppVersion=\d+.\d+.(?<versionD3>\d+)" | stats max(versionD1) as v1 max(versionD2) as v2 max(versionD3) as v3 by User | eval Version = v1."."v2.".".v3 | fields User Version
The first example works great.
Thanks sundareshr
Try this:
index=abc sourcetype=123 User="john" AppVersion
| stats latest(AppVersion)
Hey HeinzWaescher,
Thanks for the reply but this didnt work. It looks like latest() command returns the latest value by its time stamp.
Yes it does, I thought that is your goal.
No not by time but by the value of the field AppVersion. I am looking to return the latest Version of the of the software.
For Example if the values are
AppVersion = 3.0.1
and
AppVersion = 2.2.0
The latest version in this case would be 3.0.1 and that is the value I want returned.
Thanks
what about
| rex field=AppVersion "(?.).(?.).(?.*)"
| eval AppVersion=a."".b."".c
| stats max(AppVersion)
Hey HeinzWaescher ,
I could not get this to work either.
but Thanks again