WHITE PAPER

WHITE PAPER

Building Your Own Software

Asset Management System
With Splunk

Software Asset Management (SAM) is a business
practice that involves managing and optimizing the
purchase, deployment, maintenance, utilization
and disposal of software applications within
an organization.
In today’s world, nearly every business has implemented
some kind of SAM solution to ensure they track what
software licenses are purchased, where they are
installed and, ideally, if the installed software is actually
being utilized by the end user.
If done right, an organization can prove its software is
properly licensed in case it is audited. An organization
can also reduce costs by eliminating unused
software products.
Splunk® has identified that many organizations are
considering using Splunk software for tool consolidation.
This whitepaper showcases one example of how Splunk
can be used as a platform to answer the questions
usually associated with a SAM solution that might be
“good enough” for many businesses.
The two main SAM use cases:
inventory and usage
First of all, basic inventory (see Figure 1) is required —
that is, to find out if an organization is buying too many
or not enough licenses of commonly used enterprise
software, such as Microsoft Office and Adobe Acrobat.
When you have 10,000 employees or more, it is not easy
to know how many concurrent instances are running
of any given software that requires a license. This
uncertainty often leads to purchasing more licenses
than necessary to cover the worst-case scenario. On
the other side, under-licensing is expensive and bears
high liability risks and can result ultimately in criminal
charges, so it needs to be done right.
WHITE PAPER
The Splunk Universal Forwarder, when installed on
an endpoint, can capture the local OS logs and further
inventory details from the system. This data contains
details on what software applications are installed, as
well as what software is running, and other important
parameters such as when processes from those
software applications were launched, the duration that
they ran, and more, to get insights into usability (see
Figure 2).
To prove this capability, we’ll introduce three questions
that need to be answered, that, if done correctly,
demonstrate how Splunk solves the software asset
management use case, without requiring the purchase
of additional point-solution software.
The questions that need to be
answered
1. Which software is installed on the endpoints?
2. Which software is actually used on the endpoints
by the user?
3. Can we correlate 1. and 2. with license information
to find unused or overused licenses?
Questions 1 and 2 can be answered by using the
default Splunk Add-on for Microsoft Windows and
Splunk Add-on for Unix and Linux (which includes
Mac OS). Both of these add-ons are built and supported
by Splunk. Question 3 can be answered by using lookup
functionalities, which contains the license entitlement
for each software solution being used.
Knowing which applications are running on your
endpoints is also useful for security purposes. This
data can be enriched with threat intelligence data to
find out if any of your endpoints are running malware or
compromised software. This concept is used often as a
technique in Splunk Enterprise Security.
Building Your Own Software Asset Management System With Splunk 1
 WHITE PAPER

Architecture For getting applications running, you need to enable

the following inputs:

User Linux/Unix/Mac OS
[script://./bin/ps.sh]
## Run once per minute
interval = 60
Search sourcetype = ps
Heads source = ps
index = os
License
Information disabled = 0
Lookup
Indexers
Windows
[WinHostMon://Process]
## Run once per minute
Endpoints
interval = 60
disabled = 1
type = Process
Forwarders, Forwarders, Forwarders, index = windows
Windows Linux Mac

Asking the questions

Data Collection
The following methodologies can be applied to answer
Configuring the Splunk Universal Forwarder these questions, with samples of the results:
The inputs.conf configurations that needs to be What is my license usage vs. license entitlement
enabled within the add-ons for getting the installed for my applications?
applications are the following:
eventtype=runningapps | stats dc(host) AS “Host
Linux/Unix/Mac OS count” by app | lookup appContext app OUTPUT
[script://./bin/package.sh] License | where ‘Host count’>License
sourcetype = package
source = package
## Run once per day
interval = 86400
index = os What are the applications with excess license
disabled = 0 entitlement?

Windows eventtype=runningapps | stats first(_time) AS _

[script://.\bin\win_installed_apps.bat] time by app,host | lookup appContext app OUTPUT
disabled = 0 DisplayName License | where License>0 AND _
## Run once per day time<relative_time(now(), “-6mon@mon”) | reltime
interval = 86400 _time | rename reltime AS “Last used” | table host
sourcetype = Script:InstalledApps DisplayName “Last used”
index = windows

Building Your Own Software Asset Management System With Splunk 2

 WHITE PAPER

Figure 1: Software Install Base Overview

Figure 2: Software Licensing Overview

Building Your Own Software Asset Management System With Splunk 3

 WHITE PAPER

Splunk can also address more challenging problems, Distributed software license entitlements can be
like reporting on complex and vendor specific license solved by profiling each endpoint by the installed
agreements, which have a special count concept. For software.
example, license restrictions by:
eventtype=installedapps | stats list(app) AS apps
• Specific regions
BY host | eval msoffice=case(apps=“Microsoft
• Specific users, roles or subsidiaries Excel” AND apps=“Microsoft Word” ”
• Device type AND apps=“Microsoft Outlook” AND NOT
• Virtual/physical apps=“Microsoft Visio”, “standard”)

• Concurrent users
| eval msoffice=case(apps=“Microsoft Excel” AND
• Daily/monthly users apps=“Microsoft Word” ” AND apps=“Microsoft
You can use Splunk to further enrich the endpoint data Outlook” AND apps=“Microsoft Visio” , “pro”)
with contextual information from Active Directory, | outputlookup endpointOfficeProfile
CMDBs, databases and spreadsheets. For example,
assigning to a host or user a cost center for pay per The endpoint profiles and corresponding license
use in internal billings. Below are a few examples of entitlements can then be added to any future endpoint
this methodology: data in the same way we added on the license
Region specific license entitlements entitlements.
Rolling up all licenses used at the same time for VMs
eventtype=runningapps Region=“Turkey”| stats inside a Virtual Host (concurrent use).
dc(host) AS “Host count” by app, Region | lookup
appContext app Region OUTPUT License | where eventtype=runningapps HostType=vm | stats
‘Host count’>License sum(app) AS TotalRunningApps BY VirtualHost,app
| lookup appContextForVirtual app VirtualHost
Device type specific license entitlements OUTPUT License | where TotalRunningApps
>License
eventtype=runningapps DeviceType=“Mac”| stats
dc(host) AS “Host count” by app, DeviceType|
lookup appContext app DeviceType OUTPUT
License | where ‘Host count’>License

We have two app templates available that can accelerate your time to get started:
• Get started now with the app template and some sample data from Github here.
• Splunk Add-on for Technology Inventory which includes further technical details such as CPU speed information, network
interface configurations, hard disk details and status etc.
• The app requires the Add-on for Windows and the Add-on for *Nix to be installed.

Learn more: www.splunk.com/asksales www.splunk.com

Splunk, Splunk>, Data-to-Everything, D2E and Turn Data Into Doing are trademarks and registered trademarks of Splunk Inc. in the United States and other countries.
All other brand names, product names or trademarks belong to their respective owners. © 2020 Splunk Inc. All rights reserved.
2020-Splunk-PLATFORM-Building-Your-Software-Asset-Management-System-105-WP