Splunk Search

String Value

amorberg
New Member

What search string would I use to find out what computers do NOT have a specific software. I have the Splunk TA Windows add on working and pulling in all the information from my universal forwarders. I can easily find all the computers that do have a specific software installed, but only care about those that don't have it. Below is some information that we are indexing that could maybe help to find the results. I want to know what computers do NOT have SentinelOne.

2019-12-17 14:42:02.668
Installed application enumerated from "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sentinel Agent"
DisplayName="Sentinel Agent"
ApplicationVersion=3.1.4.50
Publisher=SentinelOne
DisplayIcon=C:\Program Files\SentinelOne\Sentinel Agent 3.1.4.50\uninstall.exe
DisplayVersion=3.1.4.50
URLInfoAbout=http://www.sentinelone.com/support/
Contact=support@sentinelone.com
InstallDate=20190731
UninstallString="C:\Program Files\SentinelOne\Sentinel Agent 3.1.4.50\uninstall.exe" /uninstall

0 Karma

amorberg
New Member

Doesn't the string give me all the hosts that have Sentinel Agent?

index=Your_index sourcetype=Your_sourcetype DisplayName="Sentinel Agent" |stats count by host

When I run the strings your provided I get results but the search string above gives me almost the same results as the first string you provided, it doesn't seem to be narrowing my results down to show only the hosts that do not have Sentinel Agent.

0 Karma

mydog8it
Builder

Searching for what is not in the data is tricky and often errant. You need to start with an inventory of machines that is known to be good, so a search like thie one below might give you a place to start for that:

|tstats count where index=Your_index by host

That search will give you back all the values of the host field for the index you specify. If all your interesting computers are talking to a specific Splunk index, this search should give you the inventory.

Next you will need to craft a search that looks for each of the host names in the application install data and identify the systems that do not have SentinelOne installed.

index=Your_index sourcetype=Your_sourcetype DisplayName="Sentinel Agent" |stats count by host

Once you have the two searches returning the desired results, you will need to join the results...

|tstats count where index=Your_index by host | join type=outer host [search index=Your_index sourcetype=Your_sourcetype DisplayName="Sentinel Agent" |stats count by host]

I hope this gives you a place to start.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...