Dashboards & Visualizations

How to create a report that lists of all enabled apps on Splunk Universal Forwarders and their versions?

paoloromagnoli
New Member

I would like to create a report/dashboard that includes among other things the list of Splunk apps installed on universal forwarders and their versions.
I created the report for apps installed on heavy forwarders and other Splunk components using the REST API. Any idea for universal forwarders? Also on the deployment server I was not able to spot if that info is indexed somewhere

0 Karma
1 Solution

woodcock
Esteemed Legend

This would make an excellent Modular Input App exercise. Your script will go to $SPLUNK_HOME/etc/apps/ and list out each directory and then go into each application directory and look for a app.conf file first in local and then in default. Inside of that find the line that says version=valiue line and grab the value. There might be an app on Splunkbase that already does this.

View solution in original post

gcusello
SplunkTrust
SplunkTrust

Hi @paoloromagnoli,

try this

| rest splunk_server=local /services/deployment/server/clients
| table hostname ip utsname *.restartSplunkd
| eval temp=hostname."#".ip."#".utsname 
| table temp *.restartSplunkd
| eval application.NoApp.restartSplunkd=0
| untable temp apps count 
| eval Apps=if(like(apps,"app%"),mvindex(split(apps,"."),1),null()) 
| eval ServerClass=if(like(apps,"server%"),mvindex(split(apps,"."),1),null() ) 
| rex field=temp "(?<Host>.*)#(?<Host_IP>.*)#(?<Machine_Type>.*)" 
| table Host Host_IP Machine_Type Apps ServerClass 
| stats Values(*) as * dc(Apps) AS dc_apps by Host Host_IP Machine_Type
| eval Apps=if(dc_apps=1,Apps,mvindex(Apps,1,10))
| nomv Apps
| nomv ServerClass
| fillnull value="NoSC" ServerClass

Ciao.

Giuseppe

0 Karma

Abha111
Loves-to-Learn Lots

Hi Paoloromagnoli,

 

Could you please share the rest query you used to create a report for apps installed on heavy forwarders and other Splunk components using the REST API.

Tags (1)
0 Karma

woodcock
Esteemed Legend

This would make an excellent Modular Input App exercise. Your script will go to $SPLUNK_HOME/etc/apps/ and list out each directory and then go into each application directory and look for a app.conf file first in local and then in default. Inside of that find the line that says version=valiue line and grab the value. There might be an app on Splunkbase that already does this.

paoloromagnoli
New Member

That was my first idea... I was only trying to seeif that info was already present some where in some index
Thanks,
Paolo

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...