Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do I monitor Windows application install and removal?

deav
Loves-to-Learn
‎06-01-2023 08:16 PM

I need to monitor all Windows servers to alert if there is a critical application got uninstalled.

The simplest query would be searching for Event ID 11724 and compare the application name in "Message" field.

index=wineventlog EventCode="11724" 
| search Message="*app_name*" 

However, it will get lots of false positive that application updates/upgrades will automatically uninstall the application (Event ID 11724) and install it (Event ID 11707) within 5 mins(average).    

My idea is to combine 2 event ID in a single query. Searching for uninstallation event of an application and if there is no installation event (11707) can be found within 5 mins. It returns True for alerting.

But I did a quick study on subsearch or join, and has no idea how to create this query.

Anyone got a better idea? 

Labels (2)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎06-02-2023 12:27 AM

Hi @deav,

at first put always the search terms as left as possible, don't use the search command after the main search, you should use it only for searching on termes elaborated after the main search:

index=wineventlog EventCode="11724" Message="*app_name*"

Thne you should correlate you events using the transaction command, that,'s very slow or stats command using something like this:

index=wineventlog EventCode IN ("11724","11707") Message="*app_name*" 
| stats 
   latest(eval(if(EventCode="11724",_time,""))) AS uninstall
   latest(eval(if(EventCode="11707",_time,""))) AS install
   dc(EventCode) AS EventCode_count
   BY host appname
| eval diff=install-uninstall
| where (EventCode_count=1 AND EventCode="11724") OR (EventCode_count=2 AND diff<300)

in this way you have all the apps for each host where there's only the uninstall action or the difference between install and uninstall is less than 5m.

I supposed that you already extracted appname, otherwise you have to extract it, if you need help, please share some sample of your events in text format.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...