topic Re: Attempting to write a search to find all CrowdStrike agents that are installed on the hosts in our environment in Splunk Search

Attempting to write a search to find all CrowdStrike agents that are installed on the hosts in our environment

Ghost — Mon, 05 May 2025 19:49:33 GMT

Hello,

Got tasked with finding all hosts that didnt have the crowdstrike agent installed and running into problems with my searches.

Ive used the following "CSFalconservice.exe | stats count by host" & "index=*sourcetype="crowdstrike:events:sensor" | stats count by host" but its not giving me the information per each individual hosts.

V/r

Ghost

Re: Attempting to write a search to find all CrowdStrike agents that are installed on the hosts in our environment

livehybrid — Mon, 05 May 2025 20:12:00 GMT

Hi @Ghost

Its generally not advisable to run index=* if you can avoid it - do you know where you crowdstrike data is being ingested, and are you able to confirm that you have access to it?

🌟 Did this answer help you? If so, please consider:

Adding karma to show it was useful
Marking it as the solution if it resolved your issue
Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

Re: Attempting to write a search to find all CrowdStrike agents that are installed on the hosts in our environment

Ghost — Mon, 05 May 2025 20:26:14 GMT

i do have access to it its under index=falcon with a sourcetype="crowdstrike:events:sensor or crowdstrike*". Just trying to find a full proof way to view 100% of the hosts that have the agent installed with each of the hosts source IP. if I could get a true and false statement saying no crowdstrike agent is installed on the list that would be great. But sadly im not that versed at Splunkfu.