All Apps and Add-ons

How to retrieve the list of installed packages with the Splunk Add-on for Unix and Linux ?


Hi everyone,

I am using Splunk Enterprise + the ./bin/ script provided with the Splunk Add-on for Unix and Linux ( v5.2.3 according to ./etc/apps/SplunkTAnix/README) to retrieve information about installed packages on multiple hosts running Ubuntu 14.04 LTS or 16.04 LTS. The section of the inputs.conf looks like this:

# Run package management tool collect installed packages
sourcetype = package
source = package
interval = 3600
index = os

Looking at ./bin/ I can see that for Debian distributions it uses some variant of:

dpkg-query -W -f='${Package}  ${Version}  ${Architecture}  ${Homepage}\n'

to list packages, but I don't see an option to include the ${Status} attribute which would give me the package status ( 😞

          Package status:
            n = Not-installed
            c = Config-files
            H = Half-installed
            U = Unpacked
            F = Half-configured
            W = Triggers-awaiting
            t = Triggers-pending
            i = Installed

Because of this, all packages are listed, including packages that have been previously uninstalled (but may still have leftover files), and I am missing the information to find which ones are currently installed.
Did I miss something? Is there another way to retrieve the missing information with this add-on? If this is a feature of interest to other users, is there a place to file a ticket?


0 Karma