Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How do I monitor Windows application install and r...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How do I monitor Windows application install and removal?
deav
Loves-to-Learn
06-01-2023
08:16 PM
I need to monitor all Windows servers to alert if there is a critical application got uninstalled.
The simplest query would be searching for Event ID 11724 and compare the application name in "Message" field.
index=wineventlog EventCode="11724"
| search Message="*app_name*"
However, it will get lots of false positive that application updates/upgrades will automatically uninstall the application (Event ID 11724) and install it (Event ID 11707) within 5 mins(average).
My idea is to combine 2 event ID in a single query. Searching for uninstallation event of an application and if there is no installation event (11707) can be found within 5 mins. It returns True for alerting.
But I did a quick study on subsearch or join, and has no idea how to create this query.
Anyone got a better idea?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
gcusello
SplunkTrust
06-02-2023
12:27 AM
Hi @deav,
at first put always the search terms as left as possible, don't use the search command after the main search, you should use it only for searching on termes elaborated after the main search:
index=wineventlog EventCode="11724" Message="*app_name*" Thne you should correlate you events using the transaction command, that,'s very slow or stats command using something like this:
index=wineventlog EventCode IN ("11724","11707") Message="*app_name*"
| stats
latest(eval(if(EventCode="11724",_time,""))) AS uninstall
latest(eval(if(EventCode="11707",_time,""))) AS install
dc(EventCode) AS EventCode_count
BY host appname
| eval diff=install-uninstall
| where (EventCode_count=1 AND EventCode="11724") OR (EventCode_count=2 AND diff<300)in this way you have all the apps for each host where there's only the uninstall action or the difference between install and uninstall is less than 5m.
I supposed that you already extracted appname, otherwise you have to extract it, if you need help, please share some sample of your events in text format.
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Priya70
Explorer
03-05-2025
10:26 AM
Hi @gcusello I am working on this exact query. The problem is that I do not get any results even though I have devices reporting only uninstall event code, which is 11724. The appname is being extracted correctly using the following rex:
| rex field=Message "Product: (?<appname>[^\-]+)"
Could you please help me fix the query?
index=wineventlog EventCode IN ("11724","11707") Message="*sampleapp*"
| rex field=Message "Product: (?<appname>[^\-]+)"
| stats
latest(eval(if(EventCode="11724",_time,""))) AS uninstall
latest(eval(if(EventCode="11707",_time,""))) AS install
dc(EventCode) AS EventCode_count
BY host appname
| eval diff=install-uninstall
| where (EventCode_count=1 AND EventCode="11724") OR (EventCode_count=2 AND diff<300)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
gcusello
SplunkTrust
03-05-2025
11:44 PM
Hi @Priya70 ,
are you sure about the regex?
probably it isn't correct, so you don't extract the appname field and the stats doesn't give ant result.
I can help you, if you can share some sample of your logs.
Only a general hint: you are working of windows logs, that are multiline, try to add the multiline option to your regex:
| rex field=Message "(?ms)Product: (?<appname>[^\-]+)"Ciao.
giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Priya70
Explorer
03-06-2025
07:46 AM
Hi @gcusello I can confirm that regex is correct bcz I see the app names when I display it on the table.
The problem is its not returning anything when there are devices with only uninstall event, but no subsequent install event for the same application.
Also, not sure why I am keep on getting events for the same application being "removed successfully" everyday when there is no installation of the application later on.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
gcusello
SplunkTrust
03-06-2025
09:10 AM
Hi @Priya70 ,
in this case the issue is in the verification algorithm not in the search!
Apply the correct adapt for your data.
Ciao.
Giuseppe
Get Updates on the Splunk Community!
Introducing the Splunk Developer Program!
Hey Splunk community!
We are excited to announce that Splunk is launching the Splunk Developer Program in ...
Splunkbase Year in Review 2024
Reflecting on 2024, it’s clear that innovation and collaboration have defined the journey for Splunk ...
Developer Spotlight with Brett Adams
In our third Spotlight feature, we're excited to shine a light on Brett—a Splunk consultant, innovative ...
