Splunk Search
Highlighted

How to edit my search to get the last software inventory for each computer?

Communicator

Hello,

I am collecting into Splunk computer software inventory periodically sent by all my computers.

Each inventoried software is generating a Splunk event similar to:
host = COMPUTERNAME
inventoryDate = (timestamp)
SoftwarePublisher
SoftwareName
SoftwareVersion
(...)

Each computer sent its inventory every two days.

From there, I want to build the following searches into Splunk
1. Get latest inventory for a given computer at a specific point in time
2. Get latest inventory from all computers at a specific point in time

For #1, I successfully used the following search filtering time period as required:

(...) host=<COMPUTERNAME>| eventstats max(InventoryDate) as LastInventoryDate | where InventoryDate=LastInventoryDate 

It works as expected, but is it the most optimized way to proceed?

For #2, I cannot find how to get the equivalent, basically removing the filter on host and getting all latest inventory.
Any suggestion ?

Thanks.

0 Karma
Highlighted

Re: How to edit my search to get the last software inventory for each computer?

Champion

Assuming your timestamping is correctly parsed and your events are in correct time order, the following should work for your first request

... host=<COMPUTERNAME> | head 1

For #2, I am not sure if this is the most efficient but I think it works

... | stats latest(_time) as _time latest(_raw) as _raw by host | extract | table _time host *

0 Karma
Highlighted

Re: How to edit my search to get the last software inventory for each computer?

Communicator

@rjthibod, thanks for your suggestion but it does not work as it only returns one event by host.

Basically, a software inventory for a given computer is made of multiple "software" event (let's say ~200-500 different software per computer).
For a given inventory, I guaranty that InventoryDate is the same for software "events" part of same inventory upload. _time is also equals to InventoryDate

So for #2, I am looking for a search that:
For each computer/host:
1. Get latest inventory date
2. Return all software events having _time (or Inventory date) equals to latest inventory date

0 Karma
Highlighted

Re: How to edit my search to get the last software inventory for each computer?

Champion

Sorry for the confusion on my part. Glad you got what you needed in the other answer.

0 Karma
Highlighted

Re: How to edit my search to get the last software inventory for each computer?

Legend

Have you tried this?

(...) | eventstats max(InventoryDate) as LastInventoryDate by host | where InventoryDate=LastInventoryDate | table host InventoryDate SoftwarePublisher SoftwareName SoftwareVersion

View solution in original post

Highlighted

Re: How to edit my search to get the last software inventory for each computer?

Communicator

Thanks a lot. I was not far, I was just missing the "by host" 🙂

0 Karma