Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: how to retrieve the IE version using splunk
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a farm of Windows Boxes, and it's a pain to figure which versions of IE they are running on.
The only place I found the versions are in the registry, Can I use splunk to collect the versions per host ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
A method to retrieve the IE version on windows instances, using a Splunk universal forwarder is to setup a registry monitor on the Hive : \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\INTERNET EXPLORER and look at the values in the keys : Version, W2kVersion, svcUpdateVersion, svcVersion ...
You can create this input that from the input UI on a search-head or indexer, or can use the configuration file for forwarders. The important point is that you want to retrieve the baseline value (other wise the monitor will only collect modifications).
Of course splunk service has to run under an user that has permissions to call the registry.
Example of inputs.conf
[WinRegMon://ieVersion]
baseline = 1
disabled = 0
hive = HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\INTERNET EXPLORER
proc = C:\\.*
type = create|delete|rename|set
see the specifications for details on the WinRegMon input
http://docs.splunk.com/Documentation/Splunk/latest/admin/inputsconf
The baseline event collected will look like :
04/09/2014 03:19:15.376
registry_type="baseline"
key_path="\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\INTERNET EXPLORER\Version"
data_type="REG_SZ"
data="9.0.8112.16421"
And you can see the timestamp will be the first time the input runs. So to figure the current value for a host, you may have to search over "all time".
If needed you can save the results in a lookup and reuse the results instead of searching all time.
index=main sourcetype=WinRegistry key_path="*INTERNET EXPLORER\*Version" | rex field=key_path "INTERNET EXPLORER\\\(?<key>\w+)$" | stats earliest(_time) AS _time earliest(data) AS version by host key
example of results with a single host :
host key _time version
Win2k8Sup11 OSVersion 2011-06-18 03:21:54 3.6.1.0.0
Win2k8Sup11 Version 2014-04-09 03:19:15 9.0.8112.16421
Win2k8Sup11 W2kVersion 2014-04-09 03:19:15 9.0.8112.16421
Win2k8Sup11 svcUpdateVersion 2014-04-09 03:19:15 9.0.26
Win2k8Sup11 svcVersion 2014-04-09 03:19:15 9.0.8112.16421
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
A method to retrieve the IE version on windows instances, using a Splunk universal forwarder is to setup a registry monitor on the Hive : \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\INTERNET EXPLORER and look at the values in the keys : Version, W2kVersion, svcUpdateVersion, svcVersion ...
You can create this input that from the input UI on a search-head or indexer, or can use the configuration file for forwarders. The important point is that you want to retrieve the baseline value (other wise the monitor will only collect modifications).
Of course splunk service has to run under an user that has permissions to call the registry.
Example of inputs.conf
[WinRegMon://ieVersion]
baseline = 1
disabled = 0
hive = HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\INTERNET EXPLORER
proc = C:\\.*
type = create|delete|rename|set
see the specifications for details on the WinRegMon input
http://docs.splunk.com/Documentation/Splunk/latest/admin/inputsconf
The baseline event collected will look like :
04/09/2014 03:19:15.376
registry_type="baseline"
key_path="\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\INTERNET EXPLORER\Version"
data_type="REG_SZ"
data="9.0.8112.16421"
And you can see the timestamp will be the first time the input runs. So to figure the current value for a host, you may have to search over "all time".
If needed you can save the results in a lookup and reuse the results instead of searching all time.
index=main sourcetype=WinRegistry key_path="*INTERNET EXPLORER\*Version" | rex field=key_path "INTERNET EXPLORER\\\(?<key>\w+)$" | stats earliest(_time) AS _time earliest(data) AS version by host key
example of results with a single host :
host key _time version
Win2k8Sup11 OSVersion 2011-06-18 03:21:54 3.6.1.0.0
Win2k8Sup11 Version 2014-04-09 03:19:15 9.0.8112.16421
Win2k8Sup11 W2kVersion 2014-04-09 03:19:15 9.0.8112.16421
Win2k8Sup11 svcUpdateVersion 2014-04-09 03:19:15 9.0.26
Win2k8Sup11 svcVersion 2014-04-09 03:19:15 9.0.8112.16421
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It worked.
And because I only keep 30 days of data, to save the baseline longer.
I used the search with
| outputlookup ieversion.csv to save the list to compare later.
using this technique http://answers.splunk.com/answers/3769/does-outputlookup-append-or-overwrite
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Index This | What travels the world but is also stuck in place?
Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data
Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...
