Splunk Search

subsearch help

Contributor

Not sure how to really explain this....

I would like to look in my windows logs for new installed products and list the products, then look back and see what installed products have never been installed.

I know how to create the search and I know how to create a subsearch, but how do you search for items that are not in the results of the subsearch?

For example if I had a search that returned productA, ProductB, ProductC for the current week, and I want to see if any products other than "productA, ProductB, ProductC " were installed last week - how would I go about this?

I am trying to basically create a whitelist. I might eventually just make a lookup to take care of this, but I would like to have a search for testing and validation.

Thanks-

Tags (1)
0 Karma

Contributor

index=windows sourcetype="wineventlog:application" SourceName=MsiInstaller EventCode=11707 | dedup _raw | rex field=Message "(?s)Product: (?.) --" | fields product_name [search index=windows sourcetype="wineventlog:application" SourceName=MsiInstaller EventCode=11707 | dedup _raw | rex field=Message "(?s)Product: (?.) --" |fields product_name |format "NOT (" "" "" "" "OR" ")"]

getting errors like

Error in 'fields' command: Invalid argument: 'product_name=Java(TM) 6 Update 43'

0 Karma

SplunkTrust
SplunkTrust

You negate the subsearch.

your_main_search [ your_subsearch_with_known_products| format "NOT (" "" "" "" "OR" ")"]

0 Karma