Hi, I'm trying to use Splunk to provide a report on servers where a service is absent. So I have one event per service per host. So if there are 10 services running on 1 host, that is 10 different events. My idea was to do a search which combines all of the services on a host into a single field and then search where that field doesn't contain the value I am looking for, but I have no idea how to achieve this. Here are a couple of sample raw events from the same host 20200702162757.583428
Caption=Remote Desktop Configuration
Description=Remote Desktop Configuration service (RDCS) is responsible for all Remote Desktop Services and Remote Desktop related configuration and session maintenance activities that require SYSTEM context. These include per-session temporary folders, RD themes, and RD certificates.
Name=SessionEnv
PathName=C:\WINDOWS\System32\svchost.exe -k netsvcs
StartMode=Manual
StartName=localSystem
State=Running
Status=OK
wmi_type=Service
20200702162757.583428
Caption=Symantec Endpoint Protection WSC Service
Description=Allows Symantec Endpoint Protection to report status to the Windows Security Center.
Name=sepWscSvc
PathName="C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\14.3.558.0000.105\Bin64\sepWscSvc64.exe"
StartMode=Auto
StartName=LocalSystem
State=Running
Status=OK
wmi_type=Service Assume I want to return hosts where the second service entry is absent.
... View more