All Apps and Add-ons

How to tell if an app was installed via deployment server

a212830
Champion

Hi,

Is there anyway to tell via splunk logs when apps are being installed via the deployment server on specific hosts? We don't have visibility into the servers, and need it to trouble-shoot some issues.

0 Karma
1 Solution

MuS
Legend

Hi a212830,

the hard way:

change any setting in the local directory and wait for 5 minutes (default phone home interval). If the changes are gone, this app is deployed using deployment server.

the easy way:

run this search

index=_internal component=PackageDownloadRestHandler host=* app=<YourAppNameHere> earliest=-30d@d
| bin _time span=1h
| stats count by _time host app

This will show you when which host downloaded what app.

Hope this helps ...

cheers, MuS

View solution in original post

sloshburch
Splunk Employee
Splunk Employee

Another option for an answer that I just stumbled on:

index=_introspection component=deployment.app
| stats latest(data.version) AS version, latest(data.enabled) AS state BY data.host, data.name

Using the introspection data to see what's installed. Gotchas:

  1. Makes sure the forwarders are on a version that supports introspection: https://docs.splunk.com/Documentation/Splunk/latest/Troubleshooting/Abouttheplatforminstrumentationf...
  2. Make sure the forwarders have introspection enabled: https://docs.splunk.com/Documentation/Splunk/latest/Troubleshooting/ConfigurePIF#Enable_logging_on_a...

So, it's certainly more complicated of an approach BUT if you already have it all configured then it's worth exploring!

0 Karma

MuS
Legend

Hi a212830,

the hard way:

change any setting in the local directory and wait for 5 minutes (default phone home interval). If the changes are gone, this app is deployed using deployment server.

the easy way:

run this search

index=_internal component=PackageDownloadRestHandler host=* app=<YourAppNameHere> earliest=-30d@d
| bin _time span=1h
| stats count by _time host app

This will show you when which host downloaded what app.

Hope this helps ...

cheers, MuS

a212830
Champion

Thanks. I modified it to give me "peer" instead of host for the stats, and it worked great.

0 Karma

sloshburch
Splunk Employee
Splunk Employee

Great answer! A couple of adjustments and additions.

You mentioned 5 minutes as the default phone home but I think it's 60 seconds: http://docs.splunk.com/Documentation/Splunk/latest/Admin/Deploymentclientconf

phoneHomeIntervalInSecs = <number in seconds>
* Defaults to 60.
* Fractional seconds are allowed.
* This determines how frequently this deployment client should check for new
  content.

I think there's a way to ping the remote instance and use the REST API to discover if the app is installed. It may depend on if splunkd knows it's there (versus someone manually placing the app folder and not restarting).
I think the /apps/local endpoint is the one to use for that as per http://docs.splunk.com/Documentation/Splunk/latest/RESTREF/RESTapps#apps.2Flocal

I could swear there's a splunkbase app someone put together for this specific challenge but I can't seem to find it right now. Some apps worth peeking into as an option could be:
* Btool Scripted Inputs for Splunk - https://splunkbase.splunk.com/app/3590/#/details
* Internal change management for Splunk configs - https://splunkbase.splunk.com/app/2627/

MuS
Legend

My bad, for whatever reason I thought the default for phoneHomeIntervalInSecs was 300 - ¯\_(ツ)_/¯ ... anyway this is the app you're looking for : https://splunkbase.splunk.com/app/2775/

cheers, MuS

sloshburch
Splunk Employee
Splunk Employee

All good! Great catch on the app!

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...