I have this query which is "mostly" working:
sourcetype=Script:InstalledApps | stats values(host) AS Hosts by DisplayName, DisplayVersion
I get what I'm expecting from the sourcetype=Script:InstalledApps
part. The events show the whole DisplayName value for the applications. When I do the entire query, I don't get the whole DisplayName value. For example, "Security Update for Microsoft .NET Framework 4 Client Profile (KB3037578)" displays as "Security" when I do the stats values(host) AS Hosts by DisplayName, DisplayVersion
part . Seems like it's a problem mostly with descriptions that have more than one word, but not always (?)
I'm guessing your events have a line like this:
...
DisplayName=Security Update for Microsoft .NET Framework 4 Client Profile (KB3037578)
...
While your stats
- and any other use of the field - only sees DisplayName=Security
?
If so, that's due to the way Splunk reads default key-value extractions. There's no quotes surrounding the string, making it hard to automagically recognize that it's more than just a word. To test this, try this search:
sourcetype=Script:InstalledApps | rex "DisplayName=(?<myDisplayName>.*)" | stats values(host) AS Hosts by myDisplayName, DisplayVersion
If that works, move the extraction into Settings -> Fields -> Field Extractions for that sourcetype. Also, make sure to submit feedback to the App's developers to please, please add quotes around the field value to make this unnecessary in the future.
I'm guessing your events have a line like this:
...
DisplayName=Security Update for Microsoft .NET Framework 4 Client Profile (KB3037578)
...
While your stats
- and any other use of the field - only sees DisplayName=Security
?
If so, that's due to the way Splunk reads default key-value extractions. There's no quotes surrounding the string, making it hard to automagically recognize that it's more than just a word. To test this, try this search:
sourcetype=Script:InstalledApps | rex "DisplayName=(?<myDisplayName>.*)" | stats values(host) AS Hosts by myDisplayName, DisplayVersion
If that works, move the extraction into Settings -> Fields -> Field Extractions for that sourcetype. Also, make sure to submit feedback to the App's developers to please, please add quotes around the field value to make this unnecessary in the future.
That did it....just needed the right SplunkFu! Thanks for the help martin_mueller!
I'll reach out to the Splunk Add-on for Windows app developers and mention it to them.
Yes - I could have been clearer. I'll edit the question.
Just to clarify on this - the script is getting me what I expect and the events actually do show the whole DisplayName value. When I do the query, I don't get the whole DisplayName value.
Ah, ok. So it would appear the stats command is truncating your DisplayName to the first word (field delimiter of a space). I'm not seeing anything on why that would be happening at the moment. Perhaps edit your original question if you can to make that point clearer.
Can you post the script up here as it's likely something in the way the script is capturing the application name.
Sure - the script is from the Splunk Add-on for Windows app (win_installed_apps.bat):
@echo off
REM --------------------------------------------------------
REM Copyright (C) 2005-2011 Splunk Inc. All Rights Reserved.
REM --------------------------------------------------------
setlocal EnableDelayedExpansion
REM For each app key, print out the name of the app and any parameters under the entry
for /f "tokens=*" %%G in ('reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" ^| findstr "Uninstall\\"') do (call :output_reg "%%G" 72)
REM Do the same as above but with 32-bit apps, first checking if the key exists
reg query "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall" >nul 2>&1
if %ERRORLEVEL% EQU 0 (
for /f "tokens=*" %%G in ('reg query "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall" ^| findstr "Uninstall\\"') do (call :output_reg "%%G" 84)
)
goto :eof
:output_reg
REM Echo an empty line to indicate that this is a new entry
@echo.
REM Get the current date into a variable
for /f "tokens=*" %%A in ('date /t') do for %%B in (%%A) do set date=%%B
REM Get the current time into a variable
set time = 'time /t'
for /f "tokens=1,2 delims=." %%A in ("%time%") do set time=%%A
REM Print out the date & time
@echo %date% %time%
REM Add the enumerated key
@echo Installed application enumerated from %1
REM Get the name of the app from the last segment in the registry path
set app_name=%1
REM Strips out the first x characters (from input) of the path in order to get just the app name
set "app_name=!app_name:~%2%,150!"
REM Strip the last quote
set app_name=%app_name:~0,-1%
REM Store a count value so that we can avoid printing the first entry
set count=0
REM This variable determines if the display name was found
set display_name_found=0
REM Now get the sub-keys
for /F "tokens=1,2*" %%A in ('reg query %1') do (
set /a count+=1
REM Skip the entry if it just repeats the name we are querying for or if it is blank or if is "<NO" (which indicates the item has no name)
if not "%%A" == %1 if not "%%A" == "" if not "%%A" == "<NO" echo %%A=%%C
REM Note that the display name was already found
if %%A==DisplayName set /a display_name_found=1
)
REM If the display name was not found, then use the name of the registry path name instead
if !display_name_found!==0 echo DisplayName=%app_name%