Splunk Search

subsearch help

mcbradford
Contributor

Not sure how to really explain this....

I would like to look in my windows logs for new installed products and list the products, then look back and see what installed products have never been installed.

I know how to create the search and I know how to create a subsearch, but how do you search for items that are not in the results of the subsearch?

For example if I had a search that returned productA, ProductB, ProductC for the current week, and I want to see if any products other than "productA, ProductB, ProductC " were installed last week - how would I go about this?

I am trying to basically create a whitelist. I might eventually just make a lookup to take care of this, but I would like to have a search for testing and validation.

Thanks-

Tags (1)
0 Karma

mcbradford
Contributor

index=windows sourcetype="wineventlog:application" SourceName=MsiInstaller EventCode=11707 | dedup _raw | rex field=Message "(?s)Product: (?.) --" | fields product_name [search index=windows sourcetype="wineventlog:application" SourceName=MsiInstaller EventCode=11707 | dedup _raw | rex field=Message "(?s)Product: (?.) --" |fields product_name |format "NOT (" "" "" "" "OR" ")"]

getting errors like

Error in 'fields' command: Invalid argument: 'product_name=Java(TM) 6 Update 43'

0 Karma

alacercogitatus
SplunkTrust
SplunkTrust

You negate the subsearch.

your_main_search [ your_subsearch_with_known_products| format "NOT (" "" "" "" "OR" ")"]

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...