Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: String Value
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
String Value
What search string would I use to find out what computers do NOT have a specific software. I have the Splunk TA Windows add on working and pulling in all the information from my universal forwarders. I can easily find all the computers that do have a specific software installed, but only care about those that don't have it. Below is some information that we are indexing that could maybe help to find the results. I want to know what computers do NOT have SentinelOne.
2019-12-17 14:42:02.668
Installed application enumerated from "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sentinel Agent"
DisplayName="Sentinel Agent"
ApplicationVersion=3.1.4.50
Publisher=SentinelOne
DisplayIcon=C:\Program Files\SentinelOne\Sentinel Agent 3.1.4.50\uninstall.exe
DisplayVersion=3.1.4.50
URLInfoAbout=http://www.sentinelone.com/support/
Contact=support@sentinelone.com
InstallDate=20190731
UninstallString="C:\Program Files\SentinelOne\Sentinel Agent 3.1.4.50\uninstall.exe" /uninstall
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Doesn't the string give me all the hosts that have Sentinel Agent?
index=Your_index sourcetype=Your_sourcetype DisplayName="Sentinel Agent" |stats count by host
When I run the strings your provided I get results but the search string above gives me almost the same results as the first string you provided, it doesn't seem to be narrowing my results down to show only the hosts that do not have Sentinel Agent.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Searching for what is not in the data is tricky and often errant. You need to start with an inventory of machines that is known to be good, so a search like thie one below might give you a place to start for that:
|tstats count where index=Your_index by host
That search will give you back all the values of the host field for the index you specify. If all your interesting computers are talking to a specific Splunk index, this search should give you the inventory.
Next you will need to craft a search that looks for each of the host names in the application install data and identify the systems that do not have SentinelOne installed.
index=Your_index sourcetype=Your_sourcetype DisplayName="Sentinel Agent" |stats count by host
Once you have the two searches returning the desired results, you will need to join the results...
|tstats count where index=Your_index by host | join type=outer host [search index=Your_index sourcetype=Your_sourcetype DisplayName="Sentinel Agent" |stats count by host]
I hope this gives you a place to start.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
Data Management Digest – May 2026
