Is there a way to create a baseline of installed applications and have Splunk trigger a warning/alert to notify others that a baseline application was removed or an application not within the baseline was installed? Thanks!
There is nothing built-in that will do this easily. However, you could write a scripted input that simply does a directory listing of $SPLUNK_HOME/etc/apps and indexes that listing. Then you could write a search that looks for changes between events.
Scripted input example (listdir.sh)
# Script to generate a directory listing
ls -l $SPLUNK_HOME/etc/apps
inputs.conf (collects the listing approximately every 10 minutes)
DATETIME_CONFIG = CURRENT
SHOULD_LINEMERGE = false
LINE_BREAKER = ((*FAIL))
Also, remember to create the index named tracking - you can easily do that via the Splunk GUI. Once all of this is set up, you can easily set an alert based on a scheduled search to run every 10 minutes (hopefully between the run times of the script). Here is what the search would look like:
index=tracking earliest=-10m | head 2
| stats earliest(_raw) as previousList latest(_raw) as latestList
| where previousList!=latestList
The alert trigger should be "number of results > zero."
Now you have set up so that you will be alerted within 10 minutes of any change to the Splunk apps directory - this could be as simple as an app was updated, or that an app was added or removed. You can use this trick to monitor any directory, not just the Splunk apps directory. And of course you could do more sophisticated tracking.
Thanks for the thorough reply. When I asked about Baseline of Applications, I shouldve specified that I meant applications/software installed on our endpoints i.e. skype, vpn, etc. We want to create create a baseline of apps that should be installed and send a warning when the baseline does not match with the endpoint's current configuration.