Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Determined which host doesnt have a particular software installed

Olatundeny
Engager
‎09-06-2023 08:51 PM

index=xxxx sourcetype="Script:InstalledApps" DisplayName="Carbon Black Cloud Sensor 64-bit"

I am trying to get the list/name of host that doesnt have Carbon Black installed. Can someone help me with a simple query for this.  If I do DisplayName!= and then table the host, it's not giving me the correct result.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎09-07-2023 02:12 PM

And that makes sense. I assume that your script produces several events per host - one for each piece of software installed. So if you just filter the raw events to get only those not being a Carbon Black inventory/installation/whatever report you'll still get all remaining software from that host so this host will still be in your results.

You need to firstly group your results by host and then filter to get only those without Carbon Black

index=windowsevent sourcetype="Script:InstalledApps"
| stats values(DisplayName) as DisplayName by host
| search NOT DisplayName="Carbon Black*"

One additional word of explanation - the last line - the search command makes use of how Splunk processes matching for multivalued fields - it tries every value from a multivalued field to decide whether it can find matching one or not.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎09-07-2023 02:20 AM

Adding to @yuanliu 's remark - one more thing about the matching logic. Remember that "key!=value" condition is not the same as "NOT key=value" condition.

The "key!=value" condition will match only events having the key called "key" which have values not matching "value". But the "NOT key=value" will do that but also match all events where the key called "key" is not present at all.

0 Karma
Reply
Solved! Jump to solution

Olatundeny
Engager
‎09-07-2023 07:03 AM

Thank you. Maybe I am not being clear enough. I apologize.

index=windowsevent sourcetype="Script:InstalledApps" NOT DisplayName="Carbon Black Cloud Sensor 64-bit"
| dedup host
| table host

 

When I ran this, it returns all the host I have in splunk and many of those host have the Carbon Black Cloud installed.

0 Karma
Reply
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎09-07-2023 02:12 PM

And that makes sense. I assume that your script produces several events per host - one for each piece of software installed. So if you just filter the raw events to get only those not being a Carbon Black inventory/installation/whatever report you'll still get all remaining software from that host so this host will still be in your results.

You need to firstly group your results by host and then filter to get only those without Carbon Black

index=windowsevent sourcetype="Script:InstalledApps"
| stats values(DisplayName) as DisplayName by host
| search NOT DisplayName="Carbon Black*"

One additional word of explanation - the last line - the search command makes use of how Splunk processes matching for multivalued fields - it tries every value from a multivalued field to decide whether it can find matching one or not.

0 Karma
Reply
Solved! Jump to solution

Olatundeny
Engager
‎09-07-2023 02:18 PM

This works!! Thank you

0 Karma
Reply
Solved! Jump to solution

yuanliu
SplunkTrust
SplunkTrust
‎09-06-2023 10:47 PM

If something is "not giving (you) the correct result," you need to describe what the correct result is.  In addition, you   Otherwise volunteers will be wasting their time guessing.

Maybe you mean the alternative NOT DisplayName="Carbon Black Cloud Sensor 64-bit"? Maybe there is something else in the data that you didn't describe that others need to know in order to help?

0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...