index=xxxx sourcetype="Script:InstalledApps" DisplayName="Carbon Black Cloud Sensor 64-bit"
I am trying to get the list/name of host that doesnt have Carbon Black installed. Can someone help me with a simple query for this. If I do DisplayName!= and then table the host, it's not giving me the correct result.
And that makes sense. I assume that your script produces several events per host - one for each piece of software installed. So if you just filter the raw events to get only those not being a Carbon Black inventory/installation/whatever report you'll still get all remaining software from that host so this host will still be in your results.
You need to firstly group your results by host and then filter to get only those without Carbon Black
index=windowsevent sourcetype="Script:InstalledApps"
| stats values(DisplayName) as DisplayName by host
| search NOT DisplayName="Carbon Black*"
One additional word of explanation - the last line - the search command makes use of how Splunk processes matching for multivalued fields - it tries every value from a multivalued field to decide whether it can find matching one or not.
Adding to @yuanliu 's remark - one more thing about the matching logic. Remember that "key!=value" condition is not the same as "NOT key=value" condition.
The "key!=value" condition will match only events having the key called "key" which have values not matching "value". But the "NOT key=value" will do that but also match all events where the key called "key" is not present at all.
Thank you. Maybe I am not being clear enough. I apologize.
index=windowsevent sourcetype="Script:InstalledApps" NOT DisplayName="Carbon Black Cloud Sensor 64-bit"
| dedup host
| table host
When I ran this, it returns all the host I have in splunk and many of those host have the Carbon Black Cloud installed.
And that makes sense. I assume that your script produces several events per host - one for each piece of software installed. So if you just filter the raw events to get only those not being a Carbon Black inventory/installation/whatever report you'll still get all remaining software from that host so this host will still be in your results.
You need to firstly group your results by host and then filter to get only those without Carbon Black
index=windowsevent sourcetype="Script:InstalledApps"
| stats values(DisplayName) as DisplayName by host
| search NOT DisplayName="Carbon Black*"
One additional word of explanation - the last line - the search command makes use of how Splunk processes matching for multivalued fields - it tries every value from a multivalued field to decide whether it can find matching one or not.
This works!! Thank you
If something is "not giving (you) the correct result," you need to describe what the correct result is. In addition, you Otherwise volunteers will be wasting their time guessing.
Maybe you mean the alternative NOT DisplayName="Carbon Black Cloud Sensor 64-bit"? Maybe there is something else in the data that you didn't describe that others need to know in order to help?