Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About Priya70
Priya70
Explorer
Member since:
10-14-2024
Community Statistics
| Posts | 43 |
| Solutions | 0 |
| Karma Given | 1 |
| Karma Received | 0 |
| Member Since | 10-14-2024 |
Activity Feed
- Posted Re: UF Data Interruption on Getting Data In. 08-21-2025 11:28 AM
- Posted Re: UF Data Interruption on Getting Data In. 08-21-2025 07:06 AM
- Posted UF Data on Getting Data In. 08-19-2025 06:54 AM
- Posted Re: Splunk Dashboard Panels Not Rendered on Dashboards & Visualizations. 06-03-2025 08:35 AM
- Posted Splunk Dashboard Panels Not Rendered on Dashboards & Visualizations. 06-02-2025 05:41 PM
- Posted Re: How do I monitor Windows application install and removal? on Splunk Search. 03-06-2025 07:46 AM
- Posted Re: How do I monitor Windows application install and removal? on Splunk Search. 03-05-2025 10:26 AM
- Posted Re: Splunk UF after Sleep/Hibernate on Getting Data In. 12-31-2024 09:34 AM
- Posted Re: Splunk UF after Sleep/Hibernate on Getting Data In. 12-31-2024 08:46 AM
- Posted Re: Splunk UF after Sleep/Hibernate on Getting Data In. 12-31-2024 06:36 AM
- Posted Re: Splunk UF on Getting Data In. 12-30-2024 01:33 PM
- Posted Splunk on Getting Data In. 12-27-2024 11:54 AM
- Posted UF on Getting Data In. 12-27-2024 11:32 AM
- Posted Re: Concerning the Splunk Universal Forwarder 9.x Scheduler Cron Syntax on Getting Data In. 12-19-2024 10:58 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
08-21-2025
11:28 AM
08-21-2025
07:06 AM
08-19-2025
06:54 AM
Labels
06-03-2025
08:35 AM
Hi,
... View more
03-06-2025
07:46 AM
Hi @gcusello I can confirm that regex is correct bcz I see the app names when I display it on the table. The problem is its not returning anything when there are devices with only uninstall event, but no subsequent install event for the same application. Also, not sure why I am keep on getting events for the same application being "removed successfully" everyday when there is no installation of the application later on.
... View more
03-05-2025
10:26 AM
Hi @gcusello I am working on this exact query. The problem is that I do not get any results even though I have devices reporting only uninstall event code, which is 11724. The appname is being extracted correctly using the following rex: | rex field=Message "Product: (?<appname>[^\-]+)" Could you please help me fix the query? index=wineventlog EventCode IN ("11724","11707") Message="*sampleapp*"
| rex field=Message "Product: (?<appname>[^\-]+)"
| stats
latest(eval(if(EventCode="11724",_time,""))) AS uninstall
latest(eval(if(EventCode="11707",_time,""))) AS install
dc(EventCode) AS EventCode_count
BY host appname
| eval diff=install-uninstall
| where (EventCode_count=1 AND EventCode="11724") OR (EventCode_count=2 AND diff<300)
... View more
Contact Me
