Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Check if new software detected exists/doesn't exist in Lookup

siddh01r
New Member
‎03-06-2019 07:06 PM

I am trying to find out when a new software get installed on any end point. and I also have a script running to collect installed software

I have created a lookup file called installed_software_workstations.csv - where i have recorded all the approved software.
I need help with something like -

check if software is not in lookup file( installed_software_workstations.csv). flag it as unapproved software or new software.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

renjith_nair
Legend
‎03-07-2019 05:48 AM

@siddh01r,

Assuming that you have the list of softwares installed and software name is DisplayName. Your lookup table has product which points to software name.
Try

sourcetype = Script:InstalledApps" |stats count by DisplayName 
|lookup approved_software-workstations.csv product as DisplayName
|where isnull(is_approved)
---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

renjith_nair
Legend
‎03-07-2019 05:48 AM

@siddh01r,

Assuming that you have the list of softwares installed and software name is DisplayName. Your lookup table has product which points to software name.
Try

sourcetype = Script:InstalledApps" |stats count by DisplayName 
|lookup approved_software-workstations.csv product as DisplayName
|where isnull(is_approved)
---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Solved! Jump to solution

siddh01r
New Member
‎03-07-2019 04:00 PM

This has worked for me mate!!! thank you so much!!!!

0 Karma
Reply
Get Updates on the Splunk Community!

Good Sourcetype Naming

When it comes to getting data in, one of the earliest decisions made is what to use as a sourcetype. Often, ...

See your relevant APM services, dashboards, and alerts in one place with the updated ...

As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...

Splunk App for Anomaly Detection End of Life Announcement

Q: What is happening to the Splunk App for Anomaly Detection?A: Splunk is officially announcing the ...