Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Monitoring Splunk
- :
- How to list out unwanted software installed on use...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to list out unwanted software installed on user machine
Dear team,
What is the search condition to list out, which are the software installed on user workstation.
Regards,
syed
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If your workstation OS is Windows, you can use the following PowerShell as a scripted input on your Universal Forwarder to get the installed software in a Splunk index.
Save this as GetInstalledSoftware.ps1 (or similar):
Param($Computer = $ENV:ComputerName)
$ScriptRunTime = (get-date).ToFileTime()
$RemoteRegistry = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey("LocalMachine",$Computer)
$RegKey = $RemoteRegistry.OpenSubKey("SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\")
if($RegKey)
{
foreach($key in $RegKey.GetSubKeyNames())
{
$output = @()
$SubKey = $RegKey.OpenSubKey($key)
$DisplayName = $SubKey.GetValue("DisplayName")
if($DisplayName)
{
$output += 'Name="{0}"' -f $DisplayName
$output += 'Version="{0}"' -f ($SubKey.GetValue("DisplayVersion"))
$output += 'InstallLocation="{0}"' -f ($SubKey.GetValue("InstallLocation"))
$output += 'Vendor="{0}"' -f ($SubKey.GetValue("Publisher"))
$output += 'ScriptRunTime="{0}"' -f $ScriptRunTime
}
if($output.count -gt 0)
{
Write-Host ("{0:MM/dd/yyyy HH:mm:ss} GMT - {1}" -f ((get-date).ToUniversalTime()),( $output -join " " ))
}
}
}
$RegKey = $RemoteRegistry.OpenSubKey("SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall")
if($RegKey)
{
foreach($key in $RegKey.GetSubKeyNames())
{
$output = @()
$SubKey = $RegKey.OpenSubKey($key)
$DisplayName = $SubKey.GetValue("DisplayName")
if($DisplayName)
{
$output += 'Name="{0}"' -f $DisplayName
$output += 'Version="{0}"' -f ($SubKey.GetValue("DisplayVersion"))
$output += 'InstallLocation="{0}"' -f ($SubKey.GetValue("InstallLocation"))
$output += 'Vendor="{0}"' -f ($SubKey.GetValue("Publisher"))
$output += 'ScriptRunTime="{0}"' -f $ScriptRunTime
}
if($output.count -gt 0)
{
Write-Host ("{0:MM/dd/yyyy HH:mm:ss} GMT - {1}" -f ((get-date).ToUniversalTime()),( $output -join " " ))
}
}
}
Then, you can use a search like the following to see what software is installed per workstation:
index=YOUR_INDEX sourcetype="YOUR_SOURCETYPE" | stats values(host) AS Hosts by Name Version Vendor | sort Name | rename Name AS "Application Name"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk does not do this by default. You need to create or acquire something else that can track software and forward this periodically into Splunk. Typically this is done with a Scripted Input. You can check to see if somebody else has created one by visiting splunkbase:
http://apps.splunk.com/
I know that Tanium also does this and plays well with Splunk:
https://www.tanium.com/
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You will need to provide a lot more information. What data do you have in splunk, do you have a list of "wanted" software etc. Share some events and/or query that you have tried to get the best possible answer.
Data Management Digest – December 2025
Index This | What is broken 80% of the time by February?
Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...
