All Apps and Add-ons
Highlighted

How to retrieve the list of installed packages with the Splunk Add-on for Unix and Linux ?

Engager

Hi everyone,

I am using Splunk Enterprise 7.0.8.5 + the ./bin/package.sh script provided with the Splunk Add-on for Unix and Linux ( v5.2.3 according to ./etc/apps/SplunkTAnix/README) to retrieve information about installed packages on multiple hosts running Ubuntu 14.04 LTS or 16.04 LTS. The section of the inputs.conf looks like this:

# Run package management tool collect installed packages
[script://./bin/package.sh]
sourcetype = package
source = package
interval = 3600
index = os

Looking at ./bin/package.sh I can see that for Debian distributions it uses some variant of:

dpkg-query -W -f='${Package}  ${Version}  ${Architecture}  ${Homepage}\n'

to list packages, but I don't see an option to include the ${Status} attribute which would give me the package status ( http://man7.org/linux/man-pages/man1/dpkg-query.1.html 😞

          Package status:
            n = Not-installed
            c = Config-files
            H = Half-installed
            U = Unpacked
            F = Half-configured
            W = Triggers-awaiting
            t = Triggers-pending
            i = Installed

Because of this, all packages are listed, including packages that have been previously uninstalled (but may still have leftover files), and I am missing the information to find which ones are currently installed.
Did I miss something? Is there another way to retrieve the missing information with this add-on? If this is a feature of interest to other users, is there a place to file a ticket?

Thanks.

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.