Professional Documents
Culture Documents
WHITE PAPER
The two main SAM use cases: Questions 1 and 2 can be answered by using the
inventory and usage default Splunk Add-on for Microsoft Windows and
Splunk Add-on for Unix and Linux (which includes
First of all, basic inventory (see Figure 1) is required —
Mac OS). Both of these add-ons are built and supported
that is, to find out if an organization is buying too many
by Splunk. Question 3 can be answered by using lookup
or not enough licenses of commonly used enterprise
functionalities, which contains the license entitlement
software, such as Microsoft Office and Adobe Acrobat.
for each software solution being used.
When you have 10,000 employees or more, it is not easy
to know how many concurrent instances are running Knowing which applications are running on your
of any given software that requires a license. This endpoints is also useful for security purposes. This
uncertainty often leads to purchasing more licenses data can be enriched with threat intelligence data to
than necessary to cover the worst-case scenario. On find out if any of your endpoints are running malware or
the other side, under-licensing is expensive and bears compromised software. This concept is used often as a
high liability risks and can result ultimately in criminal technique in Splunk Enterprise Security.
charges, so it needs to be done right.
User Linux/Unix/Mac OS
[script://./bin/ps.sh]
## Run once per minute
interval = 60
Search sourcetype = ps
Heads source = ps
index = os
License
Information disabled = 0
Lookup
Indexers
Windows
[WinHostMon://Process]
## Run once per minute
Endpoints
interval = 60
disabled = 1
type = Process
Forwarders, Forwarders, Forwarders, index = windows
Windows Linux Mac
Splunk can also address more challenging problems, Distributed software license entitlements can be
like reporting on complex and vendor specific license solved by profiling each endpoint by the installed
agreements, which have a special count concept. For software.
example, license restrictions by:
eventtype=installedapps | stats list(app) AS apps
• Specific regions
BY host | eval msoffice=case(apps=“Microsoft
• Specific users, roles or subsidiaries Excel” AND apps=“Microsoft Word” ”
• Device type AND apps=“Microsoft Outlook” AND NOT
• Virtual/physical apps=“Microsoft Visio”, “standard”)
• Concurrent users
| eval msoffice=case(apps=“Microsoft Excel” AND
• Daily/monthly users apps=“Microsoft Word” ” AND apps=“Microsoft
You can use Splunk to further enrich the endpoint data Outlook” AND apps=“Microsoft Visio” , “pro”)
with contextual information from Active Directory, | outputlookup endpointOfficeProfile
CMDBs, databases and spreadsheets. For example,
assigning to a host or user a cost center for pay per The endpoint profiles and corresponding license
use in internal billings. Below are a few examples of entitlements can then be added to any future endpoint
this methodology: data in the same way we added on the license
Region specific license entitlements entitlements.
Rolling up all licenses used at the same time for VMs
eventtype=runningapps Region=“Turkey”| stats inside a Virtual Host (concurrent use).
dc(host) AS “Host count” by app, Region | lookup
appContext app Region OUTPUT License | where eventtype=runningapps HostType=vm | stats
‘Host count’>License sum(app) AS TotalRunningApps BY VirtualHost,app
| lookup appContextForVirtual app VirtualHost
Device type specific license entitlements OUTPUT License | where TotalRunningApps
>License
eventtype=runningapps DeviceType=“Mac”| stats
dc(host) AS “Host count” by app, DeviceType|
lookup appContext app DeviceType OUTPUT
License | where ‘Host count’>License
We have two app templates available that can accelerate your time to get started:
• Get started now with the app template and some sample data from Github here.
• Splunk Add-on for Technology Inventory which includes further technical details such as CPU speed information, network
interface configurations, hard disk details and status etc.
• The app requires the Add-on for Windows and the Add-on for *Nix to be installed.
Splunk, Splunk>, Data-to-Everything, D2E and Turn Data Into Doing are trademarks and registered trademarks of Splunk Inc. in the United States and other countries.
All other brand names, product names or trademarks belong to their respective owners. © 2020 Splunk Inc. All rights reserved.
2020-Splunk-PLATFORM-Building-Your-Software-Asset-Management-System-105-WP