Splunk Search

Determined which host doesnt have a particular software installed

Olatundeny
Engager

index=xxxx sourcetype="Script:InstalledApps" DisplayName="Carbon Black Cloud Sensor 64-bit"

I am trying to get the list/name of host that doesnt have Carbon Black installed. Can someone help me with a simple query for this.  If I do DisplayName!= and then table the host, it's not giving me the correct result.

Labels (1)
0 Karma
1 Solution

PickleRick
SplunkTrust
SplunkTrust

And that makes sense. I assume that your script produces several events per host - one for each piece of software installed. So if you just filter the raw events to get only those not being a Carbon Black inventory/installation/whatever report you'll still get all remaining software from that host so this host will still be in your results.

You need to firstly group your results by host and then filter to get only those without Carbon Black

index=windowsevent sourcetype="Script:InstalledApps"
| stats values(DisplayName) as DisplayName by host
| search NOT DisplayName="Carbon Black*"

One additional word of explanation - the last line - the search command makes use of how Splunk processes matching for multivalued fields - it tries every value from a multivalued field to decide whether it can find matching one or not.

View solution in original post

0 Karma

PickleRick
SplunkTrust
SplunkTrust

Adding to @yuanliu 's remark - one more thing about the matching logic. Remember that "key!=value" condition is not the same as "NOT key=value" condition.

The "key!=value" condition will match only events having the key called "key" which have values not matching "value". But the "NOT key=value" will do that but also match all events where the key called "key" is not present at all.

0 Karma

Olatundeny
Engager

Thank you. Maybe I am not being clear enough. I apologize.

index=windowsevent sourcetype="Script:InstalledApps" NOT DisplayName="Carbon Black Cloud Sensor 64-bit"
| dedup host
| table host

 

When I ran this, it returns all the host I have in splunk and many of those host have the Carbon Black Cloud installed.

0 Karma

PickleRick
SplunkTrust
SplunkTrust

And that makes sense. I assume that your script produces several events per host - one for each piece of software installed. So if you just filter the raw events to get only those not being a Carbon Black inventory/installation/whatever report you'll still get all remaining software from that host so this host will still be in your results.

You need to firstly group your results by host and then filter to get only those without Carbon Black

index=windowsevent sourcetype="Script:InstalledApps"
| stats values(DisplayName) as DisplayName by host
| search NOT DisplayName="Carbon Black*"

One additional word of explanation - the last line - the search command makes use of how Splunk processes matching for multivalued fields - it tries every value from a multivalued field to decide whether it can find matching one or not.

0 Karma

Olatundeny
Engager

This works!! Thank you

0 Karma

yuanliu
SplunkTrust
SplunkTrust

If something is "not giving (you) the correct result," you need to describe what the correct result is.  In addition, you   Otherwise volunteers will be wasting their time guessing.

Maybe you mean the alternative NOT DisplayName="Carbon Black Cloud Sensor 64-bit"? Maybe there is something else in the data that you didn't describe that others need to know in order to help?

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...