All Apps and Add-ons

Determining if software is NOT installed

manderson7
Contributor

We're trying to gather a list of servers, both linux and windows that are missing specific software packages. It's easy enough to get the list of servers that has the software installed.

 

search software IN ("CrowdStrike")

 

I was hoping I could search against the software package, like

 

search NOT software in ("CrowdStrike")

 

but that still displays hosts with Crowdstrike installed, just not that particular event showing that Crowdstrike is indeed installed. 

I thought of making an eval 

 

|eval cs_win_installed=if(match(software, "CrowdStrike"),1,0)

 

and then searching for 0 or 1 depending on what I care about, but can I do that with all the software that I'm searching on? Running that eval for multiple pieces of software

 

| eval cs_lin_is_installed=if(match(software, "falcon-sensor"),1,0) 
| eval cs_win_is_installed=if(match(software, "CrowdStrike Windows Sensor"),1,0) 
| eval q_is_installed=if(match(software, "Qualys*"),1,0) 
| eval f_is_installed=if(match(software, "SecureConnector*"),1,0)

 

only returns with the event showing that 1 piece of software on the machine.

Am I overthinking this? How should I go about displaying hosts with missing software?

Thanks much.

Labels (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Finding something that is not there is not Splunk's strong suit.  See this blog entry for a good write-up on it.
https://www.duanewaddle.com/proving-a-negative/

---
If this reply helps you, an upvote would be appreciated.

View solution in original post

PickleRick
Ultra Champion

There's no input so we don't know what exactly your events look like but judging from the rest of the question it seems that you have separate events showing a single "package" installation (kinda like in relational database).

So it's only fair that splunk shows events where a particular field does not equal your value (again - kinda like in SQL database if you had a relation table linking "computer" table and "package" table just linking all relations for which package!=Crowdstrike won't find you computers without Crowdstrike - just shows you all other software installations).

So in order to find all computers which do not have a specific package installed you first have to aggregate all packages on the computers.

Per analogiam:

I have an index linux_auditd which contains your typical auditd logs. Every event has an action which can be (in my case) of value "success", "failure" or "unknown".

I have possible combinations of host/action pairs:

Hostaction
srv3success
srv3failure
srv3unknown
backup1success

 

Let's assume I want to find a host for which a particular action doesn't occur (let's say - success)

If I wanted to just filter out rows where action=success, I'd still be left with srv3/failure and srv3/unknown pairs, which is not what I want.

So I need to aggregate the actions into a single multi-valued field.

| stat values(action) as actions by host

Then you'll get

hostactions
srv3success
failure
unknown
backup1

success

And now you can leverage the fact that splunk does field comparison for each value of multivalue field (which can be good or bad depending on what you want and how you do it)

So now you can append your

| search action!=success

or

| search action!=failure

To this transformed data.

 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Finding something that is not there is not Splunk's strong suit.  See this blog entry for a good write-up on it.
https://www.duanewaddle.com/proving-a-negative/

---
If this reply helps you, an upvote would be appreciated.

manderson7
Contributor

Thanks Rich. Sounds like I need to create a lookup table w/ a list of known hosts , and search against that?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Yes.

---
If this reply helps you, an upvote would be appreciated.
0 Karma