Is there a way to create a baseline of installed applications and alert if one is removed or a new application is installed?

New Member

Is there a way to create a baseline of installed applications and have Splunk trigger a warning/alert to notify others that a baseline application was removed or an application not within the baseline was installed? Thanks!

0 Karma


There is nothing built-in that will do this easily. However, you could write a scripted input that simply does a directory listing of $SPLUNK_HOME/etc/apps and indexes that listing. Then you could write a search that looks for changes between events.


Scripted input example (

# Script to generate a directory listing    
ls -l $SPLUNK_HOME/etc/apps

inputs.conf (collects the listing approximately every 10 minutes)

interval = 600



Also, remember to create the index named tracking - you can easily do that via the Splunk GUI. Once all of this is set up, you can easily set an alert based on a scheduled search to run every 10 minutes (hopefully between the run times of the script). Here is what the search would look like:

index=tracking earliest=-10m | head 2 
| stats earliest(_raw) as previousList latest(_raw) as latestList 
| where previousList!=latestList

The alert trigger should be "number of results > zero."

Now you have set up so that you will be alerted within 10 minutes of any change to the Splunk apps directory - this could be as simple as an app was updated, or that an app was added or removed. You can use this trick to monitor any directory, not just the Splunk apps directory. And of course you could do more sophisticated tracking.

0 Karma

New Member

Hi Iguinn,

Thanks for the thorough reply. When I asked about Baseline of Applications, I shouldve specified that I meant applications/software installed on our endpoints i.e. skype, vpn, etc. We want to create create a baseline of apps that should be installed and send a warning when the baseline does not match with the endpoint's current configuration.

0 Karma