Splunk Search

Search hosts, Windows updates

ivan123357
Explorer

Hello! I am new in Splunk Search.  

I am using this query to find all hosts to which a specific update was installed:

source="WinEventLog:System" | search "KB4579311" | stats last(Keywords) as lastStatus by _time, host | search lastStatus="Installation, Failure”

But I need a query to find all hosts and create a table with hosts to which this update wasn't installed. It turns out that I need to display all hosts that were not found in the request above. Need help with it. Thank you!

Labels (2)
Tags (1)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Finding something that is not there is not Splunk's strong suit.  See this blog entry for a good write-up on it.

https://www.duanewaddle.com/proving-a-negative/

---
If this reply helps you, Karma would be appreciated.
0 Karma

ivan123357
Explorer

Thank you for your answer!

If think logically, then I need to display hosts in the logs of which a certain number of updates is NOT found, which I indicate in the search. For example:

source="WinEventLog:System" EventCode=19 | stats by host |where NOT like(Message, " Update_Number"). But this search shows all events without this string(update number) but I need only a list of hosts. 

 

 

 

0 Karma

isoutamo
SplunkTrust
SplunkTrust
Hi
I think this should work
- get list of all your wndows hosts to lookup (e.g. once a week)
- query hosts which have this fix applied
- use previous lookup within above query to get list of nodes which haven’t this fix installed.
There is quite many examples how this could do.
r. Ismo
0 Karma

ivan123357
Explorer

Hello!

Sounds great. I will try it now. 

Can you give me an example too or a URL to documentation? It would be cool if I had a fewexamples

0 Karma

isoutamo
SplunkTrust
SplunkTrust
0 Karma

ivan123357
Explorer

I tried this way but I didn't receive any result. I am a newbie in Splunk 😞 

What do you think about this way?:

I can search all events with a successful update using regex search 

source="WinEventLog:System" | regex Message = "KB5555555" and for example i receive a few events from two hosts. First question: How I can create a table with a list of these hosts?

As I guess, then I can't use a search like "source="WinEventLog:System" | regex not Message = "KB5555555"" to find all hosts without this update because this search won't show any events.  

I'm stumped 😞 

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...