Archive

Finding out which users have certain software installed

Engager

I have been set a task at work to find out:
Which users have certain bits of software installed on their machine and have access to it, for licensing reason.
is there a simple search that can be done that creates a .csv file in the end that i can send t the manager.
Also needs to be able to be done with other bits of software.

Excuse the lack of knowledge i am new to Splunk and still leaning my way around.

Tags (2)
0 Karma

Path Finder

Take a look at the splunk add on for windows app (https://docs.splunk.com/Documentation/WindowsAddOn/7.0.0/User/SourcetypesandCIMdatamodelinfo) if you are not already using it. This has a sourcetype - Script:InstalledApps which will index all the installed applications.

Engager

@dglass0215 Is there a feature/search so that you can search for a specific application installed on all of the computers? Thank you

0 Karma

Path Finder

You can use the field named "DisplayName". Something like this:

sourcetype="Script:InstalledApps" DisplayName="\"McAfee*"\"

0 Karma

Engager

I am doing this search:
index=windows sourcetype="Script:InstalledApps" DisplayName="Microsoft Visio Viewer 2013"
| fields host,DisplayName
| dedup host, DisplayName | eval
| fields host,DisplayName,UserName |stats values(DisplayName) AS Applications by host Last_Seen

And i get this error;
Error in 'eval' command: Arguments are missing. Usage: eval dest_key = expression.
The search job has failed due to an error. You may be able view the job in the Job Inspector.

Could you advise?

0 Karma

Builder

your eval isn't eval'ing anything

try

index=windows sourcetype="Script:InstalledApps" DisplayName="Microsoft Visio Viewer 2013"
| stats values(DisplayName) as Applications by host Last_Seen
0 Karma

Engager

i tried that, i forgot to add the host=* so that it also displays the host name of the computer

index=windows sourcetype="Script:InstalledApps" DisplayName="Microsoft Visio Viewer 2013" host=*
| stats values(DisplayName) as Applications by host Last_Seen

This still didn't work, there is no error; just no events found despite this software being installed on at least 50 machines

0 Karma

Builder

is DisplayName is multivalue field?

If so, you may have some issues

try | stats count by DisplayName host Last_Seen maybe

0 Karma

Engager

@wmyersas i dont know what a multivalue field is in Splunk as i am still new to it

@dglass0215 i have run the search;
index=windows sourcetype="Script:InstalledApps" DisplayName="\"Microsoft Visio Viewer 2013"\"
| stats values(DisplayName) as Applications by host Last_Seen
and it still is not displaying the list of computers with that installed.

0 Karma

Path Finder

When you run a query and do not get any results, you need to lessen the criteria until you do to help figure out where the problem is.

For example: Do you get data if you search sourcetype="Script:InstalledApps" DisplayName="\"Microsoft Visio Viewer 2013"\"

0 Karma

Engager

no nothing is displayed

0 Karma

Path Finder

OK, so you need to look further into exactly what is in the DisplayName when you run just the query sourcetype="Script:InstalledApps"

0 Karma

Path Finder

Do you have events if you just search sourcetype="Script:InstalledApps"

0 Karma

Engager

Yes it displayed all of the installed software

0 Karma

Path Finder

oh... for DisplayName you need DisplayName="\"Microsoft Visio Viewer 2013"\"

0 Karma

SplunkTrust
SplunkTrust

@lewis_c26

Can you please share more details about events you are collecting from user's machine?? Like sample events, OR any App/TA you are using for data collection.

0 Karma

Engager

@kamlesh_vaghela

The Computer Name (Hostname), IP Address, User who is currently logged on, IP Address, Manufacturer, MAC Address, the domain and then the installed software and updates. All of this is collected using the Universal Forwarder and displayed on a handy dashboard. I believe there is more data and events collected but the above is what i am aware of.
Thanks for the help.

0 Karma

Builder

If you already have it on a dashboard, just export the dashboard's results into a CSV

Alternatively, open the dashboard panel in search, make and tweaks/changes, and then export those results in a CSV

0 Karma

SplunkTrust
SplunkTrust

Or take that search save it as scheduled report and send it directly to your manager, no manual actions needed 😉

cheers, MuS

Engager

Is it possible to give some more details on what search i could do to get the data on who has what software before generating the report to send to the user?

0 Karma

Builder

What are you actually trying to accomplish?

A per user report (to distribute to each user)?

What's on the dashboard you currently have?

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!