cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Custom Query for finding VMs without software installed

awood86
Copper Contributor

‎Jul 01 2020 04:04 AM - last edited on ‎Apr 08 2022 10:31 AM by

‎Jul 01 2020 04:04 AM - last edited on ‎Apr 08 2022 10:31 AM by

Custom Query for finding VMs without software installed

Hi,

 

I was hoping someone maybe able to help me. Within Log Analytics I can query for VMs with certain software installed.

But I need to query where the VMs haven't got a certain software installed. Has anyone any suggestions?

 

Thanks

Labels:
2,699 Views
0 Likes
6 Replies
Reply
6 Replies
Noa Kuperberg

‎Jul 01 2020 07:43 AM

‎Jul 01 2020 07:43 AM

Re: Custom Query for finding VMs without software installed

Hi @awood86 ,

There are different ways to go about it, one way is to create a set of all installed software items (within a given time range) and check if a value is in that set.

Note that if it's not in the set, it only means it wasn't installed in that time range, but it's still possible it's been installed earlier... so think well what's the time range you want to use.

ConfigurationData 
| where TimeGenerated > ago(3d) 
| where ConfigDataType == "Software"
| summarize all_sotftware_installed = make_set(SoftwareName) by Computer
| where set_has_element(all_sotftware_installed, "Microsoft 365 - en-us") == 0 // 0 means it's not in the set, 1 means it is

 

HTH,

Noa

2 Likes
Reply
awood86

‎Jul 01 2020 07:53 AM

‎Jul 01 2020 07:53 AM

Re: Custom Query for finding VMs without software installed

@Noa Kuperberg thank you so much! This gives me exactly what I needed.

Just out of interest what other way would you suggest about getting this data?

0 Likes
Reply
Noa Kuperberg

‎Jul 02 2020 01:50 AM

‎Jul 02 2020 01:50 AM

Re: Custom Query for finding VMs without software installed

@awood86 really depends on your needs and your setup. The suggested query is probably the most straightforward. If you're using the Update Management solution, you can also check out the Update table for installed or needed updates.

0 Likes
Reply
ps12

‎Dec 10 2022 12:50 PM - edited ‎Dec 22 2022 09:58 PM

‎Dec 10 2022 12:50 PM - edited ‎Dec 22 2022 09:58 PM

Re: Custom Query for finding VMs without software installed

Hello @Noa Kuperberg - This query helps a lot in creating a scenario like this, I'm not getting 0/1 exactly but a full list of all installed software even when I try to match it against one to test.

I'm requesting help on the extension of this request. Below is the attached format which I'm trying to achieve for 'n' Softwares & services (e.g. Microsoft Advance Threat Protection) to showcase it as one of the Tab in my overall Azure Monitor workbook in below format. Servers projects fine but want to spread out only needed software/services as column which would have Status (installed/pending) in cell.

0 Likes
Reply
Clive_Watson

‎Dec 11 2022 06:21 AM

‎Dec 11 2022 06:21 AM

Re: Custom Query for finding VMs without software installed

@ps12 

 

If you know and can define the list of Software (which I called myList in this example), you can build a query like this

Clive_Watson_0-1670768462866.png

 


Go to Log Analytics and run query

let myList=dynamic 
    ([
     "Microsoft Monitoring Agent",
     "Dependency Agent",
     "Windows Admin Center"
    ]);
ConfigurationData 
| where TimeGenerated > ago(3d) 
| where ConfigDataType == "Software"
| summarize all_software = make_set(SoftwareName) by Computer
| mv-expand all_software to typeof(string)
| where all_software has_any (myList)
| evaluate pivot(all_software)

 

You can then use the Workbook to colour these / rename the values.

You can also add extra wild card search data easily  e.g Any occurance of "SQL Server"

| where all_software has_any (myList) or all_software has_any ("SQL Server")  


1 Like
Reply
ps12

‎Dec 11 2022 09:35 AM - edited ‎Jan 04 2023 06:40 AM

‎Dec 11 2022 09:35 AM - edited ‎Jan 04 2023 06:40 AM

Re: Custom Query for finding VMs without software installed

Thanks a lot Clive for guidance, this looks great. Sure, let me add the wildcard and try as softwares are also installed as services.


Edit 04/01 - My requirements has changed and now drilling down on more varied states so Customizing query for it. Thanks a lot for the above guidance @Clive_Watson, really appreciate your quick reply.

Cheers (Y)

0 Likes
Reply