Splunk Search

how to retrieve the IE version using splunk

mataharry
Communicator

I have a farm of Windows Boxes, and it's a pain to figure which versions of IE they are running on.
The only place I found the versions are in the registry, Can I use splunk to collect the versions per host ?

Tags (1)
1 Solution

yannK
Splunk Employee
Splunk Employee

A method to retrieve the IE version on windows instances, using a Splunk universal forwarder is to setup a registry monitor on the Hive : \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\INTERNET EXPLORER and look at the values in the keys : Version, W2kVersion, svcUpdateVersion, svcVersion ...

You can create this input that from the input UI on a search-head or indexer, or can use the configuration file for forwarders. The important point is that you want to retrieve the baseline value (other wise the monitor will only collect modifications).
Of course splunk service has to run under an user that has permissions to call the registry.

Example of inputs.conf


[WinRegMon://ieVersion]
baseline = 1
disabled = 0
hive = HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\INTERNET EXPLORER
proc = C:\\.*
type = create|delete|rename|set

see the specifications for details on the WinRegMon input
http://docs.splunk.com/Documentation/Splunk/latest/admin/inputsconf

The baseline event collected will look like :

04/09/2014 03:19:15.376
registry_type="baseline"
key_path="\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\INTERNET EXPLORER\Version"
data_type="REG_SZ"
data="9.0.8112.16421"

And you can see the timestamp will be the first time the input runs. So to figure the current value for a host, you may have to search over "all time".
If needed you can save the results in a lookup and reuse the results instead of searching all time.


index=main sourcetype=WinRegistry key_path="*INTERNET EXPLORER\*Version" | rex field=key_path "INTERNET EXPLORER\\\(?<key>\w+)$" | stats earliest(_time) AS _time earliest(data) AS version by host key

example of results with a single host :

host key _time version
Win2k8Sup11 OSVersion 2011-06-18 03:21:54 3.6.1.0.0
Win2k8Sup11 Version 2014-04-09 03:19:15 9.0.8112.16421
Win2k8Sup11 W2kVersion 2014-04-09 03:19:15 9.0.8112.16421
Win2k8Sup11 svcUpdateVersion 2014-04-09 03:19:15 9.0.26
Win2k8Sup11 svcVersion 2014-04-09 03:19:15 9.0.8112.16421

View solution in original post

yannK
Splunk Employee
Splunk Employee

A method to retrieve the IE version on windows instances, using a Splunk universal forwarder is to setup a registry monitor on the Hive : \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\INTERNET EXPLORER and look at the values in the keys : Version, W2kVersion, svcUpdateVersion, svcVersion ...

You can create this input that from the input UI on a search-head or indexer, or can use the configuration file for forwarders. The important point is that you want to retrieve the baseline value (other wise the monitor will only collect modifications).
Of course splunk service has to run under an user that has permissions to call the registry.

Example of inputs.conf


[WinRegMon://ieVersion]
baseline = 1
disabled = 0
hive = HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\INTERNET EXPLORER
proc = C:\\.*
type = create|delete|rename|set

see the specifications for details on the WinRegMon input
http://docs.splunk.com/Documentation/Splunk/latest/admin/inputsconf

The baseline event collected will look like :

04/09/2014 03:19:15.376
registry_type="baseline"
key_path="\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\INTERNET EXPLORER\Version"
data_type="REG_SZ"
data="9.0.8112.16421"

And you can see the timestamp will be the first time the input runs. So to figure the current value for a host, you may have to search over "all time".
If needed you can save the results in a lookup and reuse the results instead of searching all time.


index=main sourcetype=WinRegistry key_path="*INTERNET EXPLORER\*Version" | rex field=key_path "INTERNET EXPLORER\\\(?<key>\w+)$" | stats earliest(_time) AS _time earliest(data) AS version by host key

example of results with a single host :

host key _time version
Win2k8Sup11 OSVersion 2011-06-18 03:21:54 3.6.1.0.0
Win2k8Sup11 Version 2014-04-09 03:19:15 9.0.8112.16421
Win2k8Sup11 W2kVersion 2014-04-09 03:19:15 9.0.8112.16421
Win2k8Sup11 svcUpdateVersion 2014-04-09 03:19:15 9.0.26
Win2k8Sup11 svcVersion 2014-04-09 03:19:15 9.0.8112.16421

mataharry
Communicator

It worked.
And because I only keep 30 days of data, to save the baseline longer.
I used the search with
| outputlookup ieversion.csv to save the list to compare later.

using this technique http://answers.splunk.com/answers/3769/does-outputlookup-append-or-overwrite

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...