Hi everyone,

I am using Splunk Enterprise 7.0.8.5 + the ./bin/package.sh script provided with the Splunk Add-on for Unix and Linux ( v5.2.3 according to ./etc/apps/Splunk_TA_nix/README) to retrieve information about installed packages on multiple hosts running Ubuntu 14.04 LTS or 16.04 LTS. The section of the inputs.conf looks like this:

# Run package management tool collect installed packages
[script://./bin/package.sh]
sourcetype = package
source = package
interval = 3600
index = os

Looking at ./bin/package.sh I can see that for Debian distributions it uses some variant of:

dpkg-query -W -f='${Package}  ${Version}  ${Architecture}  ${Homepage}\n'

to list packages, but I don't see an option to include the ${Status} attribute which would give me the package status ( http://man7.org/linux/man-pages/man1/dpkg-query.1.html 😞

          Package status:
            n = Not-installed
            c = Config-files
            H = Half-installed
            U = Unpacked
            F = Half-configured
            W = Triggers-awaiting
            t = Triggers-pending
            i = Installed

Because of this, all packages are listed, including packages that have been previously uninstalled (but may still have leftover files), and I am missing the information to find which ones are currently installed.
Did I miss something? Is there another way to retrieve the missing information with this add-on? If this is a feature of interest to other users, is there a place to file a ticket?

Thanks.