Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do I monitor Windows application install and removal?

deav
Loves-to-Learn
‎06-01-2023 08:16 PM

I need to monitor all Windows servers to alert if there is a critical application got uninstalled.

The simplest query would be searching for Event ID 11724 and compare the application name in "Message" field.

index=wineventlog EventCode="11724" 
| search Message="*app_name*" 

However, it will get lots of false positive that application updates/upgrades will automatically uninstall the application (Event ID 11724) and install it (Event ID 11707) within 5 mins(average).    

My idea is to combine 2 event ID in a single query. Searching for uninstallation event of an application and if there is no installation event (11707) can be found within 5 mins. It returns True for alerting.

But I did a quick study on subsearch or join, and has no idea how to create this query.

Anyone got a better idea? 

Labels (2)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎06-02-2023 12:27 AM

Hi @deav,

at first put always the search terms as left as possible, don't use the search command after the main search, you should use it only for searching on termes elaborated after the main search:

index=wineventlog EventCode="11724" Message="*app_name*"

Thne you should correlate you events using the transaction command, that,'s very slow or stats command using something like this:

index=wineventlog EventCode IN ("11724","11707") Message="*app_name*" 
| stats 
   latest(eval(if(EventCode="11724",_time,""))) AS uninstall
   latest(eval(if(EventCode="11707",_time,""))) AS install
   dc(EventCode) AS EventCode_count
   BY host appname
| eval diff=install-uninstall
| where (EventCode_count=1 AND EventCode="11724") OR (EventCode_count=2 AND diff<300)

in this way you have all the apps for each host where there's only the uninstall action or the difference between install and uninstall is less than 5m.

I supposed that you already extracted appname, otherwise you have to extract it, if you need help, please share some sample of your events in text format.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

For the past four years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

Data-Driven Success: Splunk & Financial Services

Splunk streamlines the process of extracting insights from large volumes of data. In this fast-paced world, ...