Splunk Enterprise

Extractions from query doesn't match events

pil321
Communicator

I have this query which is "mostly" working:

sourcetype=Script:InstalledApps | stats values(host) AS Hosts by DisplayName, DisplayVersion

I get what I'm expecting from the sourcetype=Script:InstalledApps part. The events show the whole DisplayName value for the applications. When I do the entire query, I don't get the whole DisplayName value. For example, "Security Update for Microsoft .NET Framework 4 Client Profile (KB3037578)" displays as "Security" when I do the stats values(host) AS Hosts by DisplayName, DisplayVersion part . Seems like it's a problem mostly with descriptions that have more than one word, but not always (?)

Tags (1)
0 Karma
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

I'm guessing your events have a line like this:

...
DisplayName=Security Update for Microsoft .NET Framework 4 Client Profile (KB3037578)
...

While your stats - and any other use of the field - only sees DisplayName=Security?

If so, that's due to the way Splunk reads default key-value extractions. There's no quotes surrounding the string, making it hard to automagically recognize that it's more than just a word. To test this, try this search:

 sourcetype=Script:InstalledApps | rex "DisplayName=(?<myDisplayName>.*)" | stats values(host) AS Hosts by myDisplayName, DisplayVersion

If that works, move the extraction into Settings -> Fields -> Field Extractions for that sourcetype. Also, make sure to submit feedback to the App's developers to please, please add quotes around the field value to make this unnecessary in the future.

View solution in original post

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

I'm guessing your events have a line like this:

...
DisplayName=Security Update for Microsoft .NET Framework 4 Client Profile (KB3037578)
...

While your stats - and any other use of the field - only sees DisplayName=Security?

If so, that's due to the way Splunk reads default key-value extractions. There's no quotes surrounding the string, making it hard to automagically recognize that it's more than just a word. To test this, try this search:

 sourcetype=Script:InstalledApps | rex "DisplayName=(?<myDisplayName>.*)" | stats values(host) AS Hosts by myDisplayName, DisplayVersion

If that works, move the extraction into Settings -> Fields -> Field Extractions for that sourcetype. Also, make sure to submit feedback to the App's developers to please, please add quotes around the field value to make this unnecessary in the future.

0 Karma

pil321
Communicator

That did it....just needed the right SplunkFu! Thanks for the help martin_mueller!

I'll reach out to the Splunk Add-on for Windows app developers and mention it to them.

pil321
Communicator

Yes - I could have been clearer. I'll edit the question.

0 Karma

pil321
Communicator

Just to clarify on this - the script is getting me what I expect and the events actually do show the whole DisplayName value. When I do the query, I don't get the whole DisplayName value.

0 Karma

jeremiahc4
Builder

Ah, ok. So it would appear the stats command is truncating your DisplayName to the first word (field delimiter of a space). I'm not seeing anything on why that would be happening at the moment. Perhaps edit your original question if you can to make that point clearer.

0 Karma

jeremiahc4
Builder

Can you post the script up here as it's likely something in the way the script is capturing the application name.

0 Karma

pil321
Communicator

Sure - the script is from the Splunk Add-on for Windows app (win_installed_apps.bat):

@echo off
REM --------------------------------------------------------
REM Copyright (C) 2005-2011 Splunk Inc. All Rights Reserved.
REM --------------------------------------------------------

setlocal EnableDelayedExpansion

REM For each app key, print out the name of the app and any parameters under the entry
for /f "tokens=*" %%G in ('reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" ^| findstr "Uninstall\\"') do (call :output_reg "%%G" 72)

REM Do the same as above but with 32-bit apps, first checking if the key exists
reg query "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall" >nul 2>&1
if %ERRORLEVEL% EQU 0 (
  for /f "tokens=*" %%G in ('reg query "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall" ^| findstr "Uninstall\\"') do (call :output_reg "%%G" 84)
)

goto :eof

:output_reg

    REM Echo an empty line to indicate that this is a new entry
    @echo.

    REM Get the current date into a variable
    for /f "tokens=*" %%A in ('date /t') do for %%B in (%%A) do set date=%%B

    REM Get the current time into a variable
    set time = 'time /t'
    for /f "tokens=1,2 delims=." %%A in ("%time%") do set time=%%A

    REM Print out the date & time
    @echo %date% %time%

    REM Add the enumerated key
    @echo Installed application enumerated from %1

    REM Get the name of the app from the last segment in the registry path
    set app_name=%1

    REM Strips out the first x characters (from input) of the path in order to get just the app name
    set "app_name=!app_name:~%2%,150!"

    REM Strip the last quote
    set app_name=%app_name:~0,-1% 

    REM Store a count value so that we can avoid printing the first entry
    set count=0

    REM This variable determines if the display name was found
    set display_name_found=0

    REM Now get the sub-keys
    for /F "tokens=1,2*" %%A in ('reg query %1') do (
        set /a count+=1

        REM Skip the entry if it just repeats the name we are querying for or if it is blank or if is "<NO" (which indicates the item has no name)
        if not "%%A" == %1 if not "%%A" == "" if not "%%A" == "<NO" echo %%A=%%C

        REM Note that the display name was already found
        if %%A==DisplayName set /a display_name_found=1
    )

    REM If the display name was not found, then use the name of the registry path name instead
    if !display_name_found!==0 echo DisplayName=%app_name%
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...