Software inventory

I’ve been looking a while for something like this, and decided to make it myself. This relies on the tinv_software _inventory add-on found on Splunkbase, but you can do it without, if you feel like it.

<form>
  <label>Software Inventory</label>
  <fieldset submitButton="false" autoRun="false">
    <input type="dropdown" token="software_picker" searchWhenChanged="true">
      <label>Software</label>
      <choice value="&quot;falcon-sensor&quot; &quot;Crowdstrike Windows Sensor&quot;">Crowdstrike</choice>
      <choice value="&quot;*qualys*&quot;">Qualys</choice>
      <choice value="&quot;*SecureConnector*&quot;">Forescout</choice>
      <prefix>tinv_software_name IN (</prefix>
      <suffix>)</suffix>
      <default>"falcon-sensor" "Crowdstrike Windows Sensor"</default>
    </input>
    <input type="dropdown" token="environment_picker" searchWhenChanged="true">
      <label>Environment</label>
      <choice value="On-Prem">On-Prem</choice>
      <choice value="AWS">AWS</choice>
      <choice value="env2">env2</choice>
      <choice value="env3">env3</choice>
      <choice value="env4">env4</choice>
      <prefix>Environment IN (</prefix>
      <suffix>)</suffix>
      <default>On-Prem</default>
    </input>
    <input type="dropdown" token="os_picker" searchWhenChanged="true">
      <label>Operating System</label>
      <choice value="windows">Windows</choice>
      <choice value="unix">Linux</choice>
      <default>windows</default>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>| tstats count where index IN ($os_picker$) host!=*.txt by host 
| eval host=lower(host) 
| eval Environment=case(host LIKE "%desktop%" OR host LIKE "%z1-%" OR host LIKE "ec2%" OR host LIKE "%z2-%" OR host LIKE "%z-%" OR host LIKE "%z3-%" OR host LIKE "i-%", "AWS", host LIKE "cc%", "Communicorp",host LIKE "%win%" OR host LIKE "%awn%", "Argus", host LIKE "%empoweredbenefits.com", "Empowered Benefits",1=1,"On-Prem")
| search $environment_picker$
| join host type=outer 
    [| search index=$os_picker$ tag=software tag=inventory $software_picker$ 
    | eval host=lower(host) 
    | fields host  tinv_software_name tinv_software_version
        ] 
| fillnull value="-" tinv_software_name
| rename tinv_software_name AS "Software Name" tinv_software_version AS "Version"
| fields host  "Software Name" "Version" Environment
| sort -tinv_software_name</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">50</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">true</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
</form>

Hope this helps. Let me know if you have any suggestions.

Share This:

Leave A Comment?