Relevance for Splunk

Moinul · June 8, 2026, 6:58pm

Trying to find the list of the devices which has Splunk version less than 9.4.12.0 but it does not work for me,

here is the relevances I set but it is not picking up any devices.

exists file "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" whose (
version of it < "9.4.12.0"
)

Do anyone has any idea why it is not working, I made sure that I have 100’s of devices with the version of “9.4.10.0”

I tried the registry as well as below but no luck

exists keys whose (
value "DisplayName" of it as string = "UniversalForwarder"
and
(value "DisplayVersion" of it as version) < ("9.4.12.0" as version)
) of key "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" of native registry

help is much appreciated

JasonWalker · June 8, 2026, 9:55pm

You're applying these as Analysis Properties?

The first of these may suffer the same issue - 32-bit redirection. For maximum backwards compatibility, the default 'file' and 'registry' inspectors operate in 32-bit mode. I'm not sure what's wrong with the second, querying against 'native registry' should solve that problem.

I personally dislike having an Analysis property that returns just a True/False like this - it can hide problems. I'd prefer having the analysis return the exact versions that it finds (including the 'empty' version) - so that you can tell both whether your logic is correct (you find 'something'), and can pretty easily sort and group to capture the machines with old versions or send them actions.

When you code it as a Fixlet Relevance, you'll need to get back to the True/False results, but for an Analysis just retrieve the actual values.

These versions should avoid the 32-bit redirection, see whether they work better for you

versions of native files "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"

values "DisplayVersion" of keys whose (
value "DisplayName" of it as string = "UniversalForwarder"
)
 of keys  "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" of native registry

Check whether these give the results you expect and get back to us?

DerrickD · June 9, 2026, 6:29pm

It’s strange, but Splunk’s own enterprise documentation says to identify the version by the value speciffied in the splunk.version file. Now things may have changed in the last couple of major vesions, but this was the case.

(substring after "=" of line containing "VERSION" of file "splunk.version" of folder "SplunkUniversalForwarder\etc" of native program files folder | "N/A")

A similar result can be found (and of course) compared to the config file from the service version.

If (exists service "SplunkForwarder") then (version of service "SplunkForwarder" as string) else "N/A"

These return the values, you can adjust as needed to get True/False values.