Splunk Enterprise Security

Locate Missing Software

crisp023
New Member

I am trying to run a search to locate specific missing software. I'm hitting a roadblock. I don't want to have to pull all software and do an extraction. I just want to be able to see what devices are missing our AV applications. Any thoughts?

Thanks.

0 Karma
1 Solution

wmyersas
Builder

As @richgalloway said, you cannot look for some that's not there

However, you can look for things that are some places and not others

You might do something like this on a periodic basis (of course, use whatever field names fit your environment):

index=ndx sourcetype=srctp hostname=* appname=*
| stats count by hostname
| fields - count
| outputlookup allendpointswithsoftware.csv

Now you have a list of all endpoints that have installed software of any kind.

Now get a list of all endpoints that have the AV software:

index=ndx sourcetype=srctp hostname=* appname="my-AV-name"
| stats count by hostname
| fields - count
| outputlookup allendpointswithavtools.csv

Then do a diff between them:

| inputlookup allendpointswithsoftware.csv
| search NOT
[ | inputlookup allendpointswithavtools.csv ]

This will give you all the hosts that weren't in the AV-is-installed list, but are known in Splunk

View solution in original post

0 Karma

wmyersas
Builder

As @richgalloway said, you cannot look for some that's not there

However, you can look for things that are some places and not others

You might do something like this on a periodic basis (of course, use whatever field names fit your environment):

index=ndx sourcetype=srctp hostname=* appname=*
| stats count by hostname
| fields - count
| outputlookup allendpointswithsoftware.csv

Now you have a list of all endpoints that have installed software of any kind.

Now get a list of all endpoints that have the AV software:

index=ndx sourcetype=srctp hostname=* appname="my-AV-name"
| stats count by hostname
| fields - count
| outputlookup allendpointswithavtools.csv

Then do a diff between them:

| inputlookup allendpointswithsoftware.csv
| search NOT
[ | inputlookup allendpointswithavtools.csv ]

This will give you all the hosts that weren't in the AV-is-installed list, but are known in Splunk

0 Karma

richgalloway
SplunkTrust
SplunkTrust

You can't search for something that's not there. See https://www.duanewaddle.com/proving-a-negative/
The only way to find who doesn't have something is to subtract those that do have it from the list of everyone.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...