@dglass0215 Is there a feature/search so that you can search for a specific application installed on all of the computers? Thank you

You can use the field named "DisplayName". Something like this:

sourcetype="Script:InstalledApps" DisplayName="\"McAfee*"\"

I am doing this search:
index=windows sourcetype="Script:InstalledApps" DisplayName="Microsoft Visio Viewer 2013"
| fields host,DisplayName
| dedup host, DisplayName | eval
| fields host,DisplayName,UserName |stats values(DisplayName) AS Applications by host Last_Seen

And i get this error;
Error in 'eval' command: Arguments are missing. Usage: eval dest_key = expression.
The search job has failed due to an error. You may be able view the job in the Job Inspector.

Could you advise?

your eval isn't eval'ing anything

try

index=windows sourcetype="Script:InstalledApps" DisplayName="Microsoft Visio Viewer 2013"
| stats values(DisplayName) as Applications by host Last_Seen

i tried that, i forgot to add the host=* so that it also displays the host name of the computer

index=windows sourcetype="Script:InstalledApps" DisplayName="Microsoft Visio Viewer 2013" host=*
| stats values(DisplayName) as Applications by host Last_Seen

This still didn't work, there is no error; just no events found despite this software being installed on at least 50 machines

is DisplayName is multivalue field?

If so, you may have some issues

try | stats count by DisplayName host Last_Seen maybe

@wmyersas i dont know what a multivalue field is in Splunk as i am still new to it

@dglass0215 i have run the search;
index=windows sourcetype="Script:InstalledApps" DisplayName="\"Microsoft Visio Viewer 2013"\"
| stats values(DisplayName) as Applications by host Last_Seen
and it still is not displaying the list of computers with that installed.

When you run a query and do not get any results, you need to lessen the criteria until you do to help figure out where the problem is.

For example: Do you get data if you search sourcetype="Script:InstalledApps" DisplayName="\"Microsoft Visio Viewer 2013"\"

no nothing is displayed

OK, so you need to look further into exactly what is in the DisplayName when you run just the query sourcetype="Script:InstalledApps"

Do you have events if you just search sourcetype="Script:InstalledApps"

Yes it displayed all of the installed software

oh... for DisplayName you need DisplayName="\"Microsoft Visio Viewer 2013"\"

@kamlesh_vaghela

The Computer Name (Hostname), IP Address, User who is currently logged on, IP Address, Manufacturer, MAC Address, the domain and then the installed software and updates. All of this is collected using the Universal Forwarder and displayed on a handy dashboard. I believe there is more data and events collected but the above is what i am aware of.
Thanks for the help.

If you already have it on a dashboard, just export the dashboard's results into a CSV

Alternatively, open the dashboard panel in search, make and tweaks/changes, and then export those results in a CSV

Or take that search save it as scheduled report and send it directly to your manager, no manual actions needed 😉

cheers, MuS

Is it possible to give some more details on what search i could do to get the data on who has what software before generating the report to send to the user?

What are you actually trying to accomplish?

A per user report (to distribute to each user)?

What's on the dashboard you currently have?