Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Search hosts, Windows updates

ivan123357
Explorer
‎11-09-2020 09:08 AM

Hello! I am new in Splunk Search.  

I am using this query to find all hosts to which a specific update was installed:

source="WinEventLog:System" | search "KB4579311" | stats last(Keywords) as lastStatus by _time, host | search lastStatus="Installation, Failure”

But I need a query to find all hosts and create a table with hosts to which this update wasn't installed. It turns out that I need to display all hosts that were not found in the request above. Need help with it. Thank you!

Labels (2)
Labels
Tags (1)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-09-2020 10:15 AM

Finding something that is not there is not Splunk's strong suit.  See this blog entry for a good write-up on it.

https://www.duanewaddle.com/proving-a-negative/

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

ivan123357
Explorer
‎11-09-2020 10:24 AM

Thank you for your answer!

If think logically, then I need to display hosts in the logs of which a certain number of updates is NOT found, which I indicate in the search. For example:

source="WinEventLog:System" EventCode=19 | stats by host |where NOT like(Message, " Update_Number"). But this search shows all events without this string(update number) but I need only a list of hosts. 

 

 

 

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎11-09-2020 11:29 AM
Hi
I think this should work
- get list of all your wndows hosts to lookup (e.g. once a week)
- query hosts which have this fix applied
- use previous lookup within above query to get list of nodes which haven’t this fix installed.
There is quite many examples how this could do.
r. Ismo
0 Karma
Reply

ivan123357
Explorer
‎11-09-2020 11:51 AM

Hello!

Sounds great. I will try it now. 

Can you give me an example too or a URL to documentation? It would be cool if I had a fewexamples

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎11-09-2020 12:16 PM
This is one version of your challenge https://community.splunk.com/t5/Getting-Data-In/How-to-create-an-alert-for-the-host-not-sending-data...
r. Ismo
0 Karma
Reply

ivan123357
Explorer
‎11-10-2020 01:32 AM

I tried this way but I didn't receive any result. I am a newbie in Splunk 😞 

What do you think about this way?:

I can search all events with a successful update using regex search 

source="WinEventLog:System" | regex Message = "KB5555555" and for example i receive a few events from two hosts. First question: How I can create a table with a list of these hosts?

As I guess, then I can't use a search like "source="WinEventLog:System" | regex not Message = "KB5555555"" to find all hosts without this update because this search won't show any events.  

I'm stumped 😞 

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...