Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

String Value

amorberg
New Member
‎12-17-2019 03:45 PM

What search string would I use to find out what computers do NOT have a specific software. I have the Splunk TA Windows add on working and pulling in all the information from my universal forwarders. I can easily find all the computers that do have a specific software installed, but only care about those that don't have it. Below is some information that we are indexing that could maybe help to find the results. I want to know what computers do NOT have SentinelOne.

2019-12-17 14:42:02.668
Installed application enumerated from "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sentinel Agent"
DisplayName="Sentinel Agent"
ApplicationVersion=3.1.4.50
Publisher=SentinelOne
DisplayIcon=C:\Program Files\SentinelOne\Sentinel Agent 3.1.4.50\uninstall.exe
DisplayVersion=3.1.4.50
URLInfoAbout=http://www.sentinelone.com/support/
Contact=support@sentinelone.com
InstallDate=20190731
UninstallString="C:\Program Files\SentinelOne\Sentinel Agent 3.1.4.50\uninstall.exe" /uninstall

0 Karma
Reply

amorberg
New Member
‎12-18-2019 02:12 PM

Doesn't the string give me all the hosts that have Sentinel Agent?

index=Your_index sourcetype=Your_sourcetype DisplayName="Sentinel Agent" |stats count by host

When I run the strings your provided I get results but the search string above gives me almost the same results as the first string you provided, it doesn't seem to be narrowing my results down to show only the hosts that do not have Sentinel Agent.

0 Karma
Reply

mydog8it
Builder
‎12-17-2019 05:18 PM

Searching for what is not in the data is tricky and often errant. You need to start with an inventory of machines that is known to be good, so a search like thie one below might give you a place to start for that:

|tstats count where index=Your_index by host

That search will give you back all the values of the host field for the index you specify. If all your interesting computers are talking to a specific Splunk index, this search should give you the inventory.

Next you will need to craft a search that looks for each of the host names in the application install data and identify the systems that do not have SentinelOne installed.

index=Your_index sourcetype=Your_sourcetype DisplayName="Sentinel Agent" |stats count by host

Once you have the two searches returning the desired results, you will need to join the results...

|tstats count where index=Your_index by host | join type=outer host [search index=Your_index sourcetype=Your_sourcetype DisplayName="Sentinel Agent" |stats count by host]

I hope this gives you a place to start.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...