topic Re: Extractions from query doesn't match events in Splunk Enterprise

Extractions from query doesn't match events

pil321 — Wed, 15 Jul 2015 14:55:21 GMT

I have this query which is "mostly" working:

sourcetype=Script:InstalledApps | stats values(host) AS Hosts by DisplayName, DisplayVersion

I get what I'm expecting from the sourcetype=Script:InstalledApps part. The events show the whole DisplayName value for the applications. When I do the entire query, I don't get the whole DisplayName value. For example, "Security Update for Microsoft .NET Framework 4 Client Profile (KB3037578)" displays as "Security" when I do the stats values(host) AS Hosts by DisplayName, DisplayVersion part . Seems like it's a problem mostly with descriptions that have more than one word, but not always (?)

Re: Extractions from query doesn't match events

jeremiahc4 — Wed, 15 Jul 2015 15:30:08 GMT

Can you post the script up here as it's likely something in the way the script is capturing the application name.

Re: Extractions from query doesn't match events

pil321 — Tue, 29 Sep 2020 06:41:46 GMT

Sure - the script is from the Splunk Add-on for Windows app (win_installed_apps.bat):

@echo off
REM --------------------------------------------------------
REM Copyright (C) 2005-2011 Splunk Inc. All Rights Reserved.
REM --------------------------------------------------------

setlocal EnableDelayedExpansion

REM For each app key, print out the name of the app and any parameters under the entry
for /f "tokens=*" %%G in ('reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" ^| findstr "Uninstall\\"') do (call :output_reg "%%G" 72)

REM Do the same as above but with 32-bit apps, first checking if the key exists
reg query "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall" >nul 2>&1
if %ERRORLEVEL% EQU 0 (
  for /f "tokens=*" %%G in ('reg query "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall" ^| findstr "Uninstall\\"') do (call :output_reg "%%G" 84)
)

goto :eof

:output_reg

    REM Echo an empty line to indicate that this is a new entry
    @echo.

    REM Get the current date into a variable
    for /f "tokens=*" %%A in ('date /t') do for %%B in (%%A) do set date=%%B

    REM Get the current time into a variable
    set time = 'time /t'
    for /f "tokens=1,2 delims=." %%A in ("%time%") do set time=%%A

    REM Print out the date & time
    @echo %date% %time%

    REM Add the enumerated key
    @echo Installed application enumerated from %1

    REM Get the name of the app from the last segment in the registry path
    set app_name=%1

    REM Strips out the first x characters (from input) of the path in order to get just the app name
    set "app_name=!app_name:~%2%,150!"

    REM Strip the last quote
    set app_name=%app_name:~0,-1% 

    REM Store a count value so that we can avoid printing the first entry
    set count=0

    REM This variable determines if the display name was found
    set display_name_found=0

    REM Now get the sub-keys
    for /F "tokens=1,2*" %%A in ('reg query %1') do (
        set /a count+=1

        REM Skip the entry if it just repeats the name we are querying for or if it is blank or if is "<NO" (which indicates the item has no name)
        if not "%%A" == %1 if not "%%A" == "" if not "%%A" == "<NO" echo %%A=%%C

        REM Note that the display name was already found
        if %%A==DisplayName set /a display_name_found=1
    )

    REM If the display name was not found, then use the name of the registry path name instead
    if !display_name_found!==0 echo DisplayName=%app_name%

Re: Extractions from query doesn't match events

pil321 — Wed, 15 Jul 2015 16:23:13 GMT

Just to clarify on this - the script is getting me what I expect and the events actually do show the whole DisplayName value. When I do the query, I don't get the whole DisplayName value.

Re: Extractions from query doesn't match events

jeremiahc4 — Wed, 15 Jul 2015 16:49:09 GMT

Ah, ok. So it would appear the stats command is truncating your DisplayName to the first word (field delimiter of a space). I'm not seeing anything on why that would be happening at the moment. Perhaps edit your original question if you can to make that point clearer.

Re: Extractions from query doesn't match events

pil321 — Wed, 15 Jul 2015 17:16:58 GMT

Yes - I could have been clearer. I'll edit the question.

Re: Extractions from query doesn't match events

martin_mueller — Wed, 15 Jul 2015 18:57:50 GMT

I'm guessing your events have a line like this:

...
DisplayName=Security Update for Microsoft .NET Framework 4 Client Profile (KB3037578)
...

While your stats - and any other use of the field - only sees DisplayName=Security?

If so, that's due to the way Splunk reads default key-value extractions. There's no quotes surrounding the string, making it hard to automagically recognize that it's more than just a word. To test this, try this search:

 sourcetype=Script:InstalledApps | rex "DisplayName=(?<myDisplayName>.*)" | stats values(host) AS Hosts by myDisplayName, DisplayVersion

If that works, move the extraction into Settings -> Fields -> Field Extractions for that sourcetype. Also, make sure to submit feedback to the App's developers to please, please add quotes around the field value to make this unnecessary in the future.

Re: Extractions from query doesn't match events

pil321 — Thu, 16 Jul 2015 15:36:03 GMT

That did it....just needed the right SplunkFu! Thanks for the help martin_mueller!

I'll reach out to the Splunk Add-on for Windows app developers and mention it to them.