Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Search hosts, Windows updates

ivan123357
Explorer
‎11-09-2020 09:08 AM

Hello! I am new in Splunk Search.  

I am using this query to find all hosts to which a specific update was installed:

source="WinEventLog:System" | search "KB4579311" | stats last(Keywords) as lastStatus by _time, host | search lastStatus="Installation, Failure”

But I need a query to find all hosts and create a table with hosts to which this update wasn't installed. It turns out that I need to display all hosts that were not found in the request above. Need help with it. Thank you!

Labels (2)
Labels
Tags (1)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-09-2020 10:15 AM

Finding something that is not there is not Splunk's strong suit.  See this blog entry for a good write-up on it.

https://www.duanewaddle.com/proving-a-negative/

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

ivan123357
Explorer
‎11-09-2020 10:24 AM

Thank you for your answer!

If think logically, then I need to display hosts in the logs of which a certain number of updates is NOT found, which I indicate in the search. For example:

source="WinEventLog:System" EventCode=19 | stats by host |where NOT like(Message, " Update_Number"). But this search shows all events without this string(update number) but I need only a list of hosts. 

 

 

 

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎11-09-2020 11:29 AM
Hi
I think this should work
- get list of all your wndows hosts to lookup (e.g. once a week)
- query hosts which have this fix applied
- use previous lookup within above query to get list of nodes which haven’t this fix installed.
There is quite many examples how this could do.
r. Ismo
0 Karma
Reply

ivan123357
Explorer
‎11-09-2020 11:51 AM

Hello!

Sounds great. I will try it now. 

Can you give me an example too or a URL to documentation? It would be cool if I had a fewexamples

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎11-09-2020 12:16 PM
This is one version of your challenge https://community.splunk.com/t5/Getting-Data-In/How-to-create-an-alert-for-the-host-not-sending-data...
r. Ismo
0 Karma
Reply

ivan123357
Explorer
‎11-10-2020 01:32 AM

I tried this way but I didn't receive any result. I am a newbie in Splunk 😞 

What do you think about this way?:

I can search all events with a successful update using regex search 

source="WinEventLog:System" | regex Message = "KB5555555" and for example i receive a few events from two hosts. First question: How I can create a table with a list of these hosts?

As I guess, then I can't use a search like "source="WinEventLog:System" | regex not Message = "KB5555555"" to find all hosts without this update because this search won't show any events.  

I'm stumped 😞 

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...