Splunk Search

Search hosts, Windows updates

ivan123357
Explorer

Hello! I am new in Splunk Search.  

I am using this query to find all hosts to which a specific update was installed:

source="WinEventLog:System" | search "KB4579311" | stats last(Keywords) as lastStatus by _time, host | search lastStatus="Installation, Failure”

But I need a query to find all hosts and create a table with hosts to which this update wasn't installed. It turns out that I need to display all hosts that were not found in the request above. Need help with it. Thank you!

Labels (2)
Tags (1)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Finding something that is not there is not Splunk's strong suit.  See this blog entry for a good write-up on it.

https://www.duanewaddle.com/proving-a-negative/

---
If this reply helps you, Karma would be appreciated.
0 Karma

ivan123357
Explorer

Thank you for your answer!

If think logically, then I need to display hosts in the logs of which a certain number of updates is NOT found, which I indicate in the search. For example:

source="WinEventLog:System" EventCode=19 | stats by host |where NOT like(Message, " Update_Number"). But this search shows all events without this string(update number) but I need only a list of hosts. 

 

 

 

0 Karma

isoutamo
SplunkTrust
SplunkTrust
Hi
I think this should work
- get list of all your wndows hosts to lookup (e.g. once a week)
- query hosts which have this fix applied
- use previous lookup within above query to get list of nodes which haven’t this fix installed.
There is quite many examples how this could do.
r. Ismo
0 Karma

ivan123357
Explorer

Hello!

Sounds great. I will try it now. 

Can you give me an example too or a URL to documentation? It would be cool if I had a fewexamples

0 Karma

isoutamo
SplunkTrust
SplunkTrust
0 Karma

ivan123357
Explorer

I tried this way but I didn't receive any result. I am a newbie in Splunk 😞 

What do you think about this way?:

I can search all events with a successful update using regex search 

source="WinEventLog:System" | regex Message = "KB5555555" and for example i receive a few events from two hosts. First question: How I can create a table with a list of these hosts?

As I guess, then I can't use a search like "source="WinEventLog:System" | regex not Message = "KB5555555"" to find all hosts without this update because this search won't show any events.  

I'm stumped 😞 

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 2 releases of new security content via the ...

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We are happy to announce the 20 lucky questers who are selected to be the first round of Champion's Tribute ...

We’ve Got Education Validation!

Are you feeling it? All the career-boosting benefits of up-skilling with Splunk? It’s not just a feeling, it's ...