Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Search hosts, Windows updates

ivan123357
Explorer
‎11-09-2020 09:08 AM

Hello! I am new in Splunk Search.  

I am using this query to find all hosts to which a specific update was installed:

source="WinEventLog:System" | search "KB4579311" | stats last(Keywords) as lastStatus by _time, host | search lastStatus="Installation, Failure”

But I need a query to find all hosts and create a table with hosts to which this update wasn't installed. It turns out that I need to display all hosts that were not found in the request above. Need help with it. Thank you!

Labels (2)
Labels
Tags (1)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-09-2020 10:15 AM

Finding something that is not there is not Splunk's strong suit.  See this blog entry for a good write-up on it.

https://www.duanewaddle.com/proving-a-negative/

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

ivan123357
Explorer
‎11-09-2020 10:24 AM

Thank you for your answer!

If think logically, then I need to display hosts in the logs of which a certain number of updates is NOT found, which I indicate in the search. For example:

source="WinEventLog:System" EventCode=19 | stats by host |where NOT like(Message, " Update_Number"). But this search shows all events without this string(update number) but I need only a list of hosts. 

 

 

 

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎11-09-2020 11:29 AM
Hi
I think this should work
- get list of all your wndows hosts to lookup (e.g. once a week)
- query hosts which have this fix applied
- use previous lookup within above query to get list of nodes which haven’t this fix installed.
There is quite many examples how this could do.
r. Ismo
0 Karma
Reply

ivan123357
Explorer
‎11-09-2020 11:51 AM

Hello!

Sounds great. I will try it now. 

Can you give me an example too or a URL to documentation? It would be cool if I had a fewexamples

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎11-09-2020 12:16 PM
This is one version of your challenge https://community.splunk.com/t5/Getting-Data-In/How-to-create-an-alert-for-the-host-not-sending-data...
r. Ismo
0 Karma
Reply

ivan123357
Explorer
‎11-10-2020 01:32 AM

I tried this way but I didn't receive any result. I am a newbie in Splunk 😞 

What do you think about this way?:

I can search all events with a successful update using regex search 

source="WinEventLog:System" | regex Message = "KB5555555" and for example i receive a few events from two hosts. First question: How I can create a table with a list of these hosts?

As I guess, then I can't use a search like "source="WinEventLog:System" | regex not Message = "KB5555555"" to find all hosts without this update because this search won't show any events.  

I'm stumped 😞 

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Platform | Upgrading your Splunk Deployment to Python 3.9

Splunk initially announced the removal of Python 2 during the release of Splunk Enterprise 8.0.0, aiming to ...

From Product Design to User Insights: Boosting App Developer Identity on Splunkbase

co-authored by Yiyun Zhu & Dan Hosaka Engaging with the Community at .conf24 At .conf24, we revitalized the ...

Detect and Resolve Issues in a Kubernetes Environment

We’ve gone through common problems one can encounter in a Kubernetes environment, their impacts, and the ...