All Apps and Add-ons

How to retrieve the list of installed packages with the Splunk Add-on for Unix and Linux ?


Hi everyone,

I am using Splunk Enterprise + the ./bin/ script provided with the Splunk Add-on for Unix and Linux ( v5.2.3 according to ./etc/apps/Splunk_TA_nix/README) to retrieve information about installed packages on multiple hosts running Ubuntu 14.04 LTS or 16.04 LTS. The section of the inputs.conf looks like this:

# Run package management tool collect installed packages
sourcetype = package
source = package
interval = 3600
index = os

Looking at ./bin/ I can see that for Debian distributions it uses some variant of:

dpkg-query -W -f='${Package}  ${Version}  ${Architecture}  ${Homepage}\n'

to list packages, but I don't see an option to include the ${Status} attribute which would give me the package status ( 😞

          Package status:
            n = Not-installed
            c = Config-files
            H = Half-installed
            U = Unpacked
            F = Half-configured
            W = Triggers-awaiting
            t = Triggers-pending
            i = Installed

Because of this, all packages are listed, including packages that have been previously uninstalled (but may still have leftover files), and I am missing the information to find which ones are currently installed.
Did I miss something? Is there another way to retrieve the missing information with this add-on? If this is a feature of interest to other users, is there a place to file a ticket?


0 Karma
Get Updates on the Splunk Community!

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...

Splunkbase | Splunk Dashboard Examples App for SimpleXML End of Life

The Splunk Dashboard Examples App for SimpleXML will reach end of support on Dec 19, 2024, after which no new ...