Each forwarder writes to it's splunkd.log under the DeployedApplication component, something like;
07-21-2012 12:01:22.267 +0300 INFO DeployedApplication - Refreshed app: WinEvtSec for service class: AppsByMachineType from archive: C:\Program Files\SplunkUniversalForwarder\var\run\AppsByMachineType\WinEvtSec-1306487137.bundle
If you've forwarded the splunkd.log from the forwarder to the indexer, it should be found in the _internal index. Try searching for
index=_internal DeployedApplication | rex "\sapp:\s(?<DepApp>\S+)\s" | stats values(DepApp) by host
Hope this helps,
Kristian
You can find information about which forwarder downloaded a deployment app in Splunkd's access log on the deployment server:
index=_internal sourcetype="splunkd_access" uri_path=/services/streams/deployment | rex field=name ":(?<serverClass>.+?):(?<app>.+)" | table _time clientip serverClass app
thank you as well! it worked also, but there was just one chance to give it a green tick, sorry but thank you!
Each forwarder writes to it's splunkd.log under the DeployedApplication component, something like;
07-21-2012 12:01:22.267 +0300 INFO DeployedApplication - Refreshed app: WinEvtSec for service class: AppsByMachineType from archive: C:\Program Files\SplunkUniversalForwarder\var\run\AppsByMachineType\WinEvtSec-1306487137.bundle
If you've forwarded the splunkd.log from the forwarder to the indexer, it should be found in the _internal index. Try searching for
index=_internal DeployedApplication | rex "\sapp:\s(?<DepApp>\S+)\s" | stats values(DepApp) by host
Hope this helps,
Kristian
thank you very much, that worked great for my case! 🙂
oops. found a typo. fixed it. /k