Solved: Check if new software detected exists/doesn't exis...

siddh01r · ‎03-06-2019

I am trying to find out when a new software get installed on any end point. and I also have a script running to collect installed software

I have created a lookup file called installed_software_workstations.csv - where i have recorded all the approved software.
I need help with something like -

check if software is not in lookup file( installed_software_workstations.csv). flag it as unapproved software or new software.

renjith_nair · ‎03-07-2019

@siddh01r,

Assuming that you have the list of softwares installed and software name is DisplayName. Your lookup table has product which points to software name.
Try

sourcetype = Script:InstalledApps" |stats count by DisplayName 
|lookup approved_software-workstations.csv product as DisplayName
|where isnull(is_approved)

Happy Splunking!

View solution in original post

renjith_nair · ‎03-07-2019

@siddh01r,

Assuming that you have the list of softwares installed and software name is DisplayName. Your lookup table has product which points to software name.
Try

sourcetype = Script:InstalledApps" |stats count by DisplayName 
|lookup approved_software-workstations.csv product as DisplayName
|where isnull(is_approved)

Happy Splunking!

siddh01r · ‎03-07-2019

This has worked for me mate!!! thank you so much!!!!

Check if new software detected exists/doesn't exist in Lookup

Splunk Custom Visualizations App End of Life

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk