Windows Software Matrix


This query will generate a software matrix or viewing the versions and names of all software installed on windows hosts reporting to Splunk.  It requires the Stanza [script://.\bin\win_installed_apps.bat] enabled in the Splunk_TA_Windows Add-on.  We run this once a day and have a dashboard for viewing the data that’s hard set for the past 24 hours.

Add-Ons Required:

Splunk Add-on for Microsoft Windows


sourcetype="Script:InstalledApps" Publisher=* DisplayName=* (DisplayName!="{"* DisplayName!=Hotfix* DisplayName!=KB*)
 | rex field=DisplayName ".(?<DisplayName>.*)."
 | rex field=DisplayName "(?<DisplayName>.*)( - )(.*)"
 | rex field=DisplayName "(?<DisplayName>.*)\s([0-9]+)(|(\.[0-9]+))"
 | rex field=DisplayName "(\?+\s)+(?<DisplayName>.[^\?]+)*"
 | rex field=Publisher "(?<Publisher>.[^\,]+)"
 | rex field=Publisher "(?<Publisher>.*)(( Systems($| Incorporated$))|( Inc\.$))"
 | rex field=Publisher "(?<Publisher>.*)(\.$)"
 | eval "EventObject.DisplayName"=mvappend('DisplayName',"")
 | chart limit=0 useother=t first(DisplayVersion) AS Version BY host "EventObject.DisplayName"

You can use the following fields to filter the search to focus on specific views.
I left the fields I like to filter on in the search filter with wildcards.
The search also excludes values where the Display name is the Registry Key HEX Value (No Name), a Hotfix, or KB. These can be removed to also view Hotfixes and Windows KB updates.

I had to do alot of Regex to clean up the DisplayName and Publisher fields and it was based of what I saw in my environment so you may need to change these to fit your data..

Share This:


Leave A Comment?