Solved: Re: How to tell if an app was installed via deploy...

a212830 · ‎03-13-2018

Hi,

Is there anyway to tell via splunk logs when apps are being installed via the deployment server on specific hosts? We don't have visibility into the servers, and need it to trouble-shoot some issues.

MuS · ‎03-13-2018

Hi a212830,

the hard way:

change any setting in the local directory and wait for 5 minutes (default phone home interval). If the changes are gone, this app is deployed using deployment server.

the easy way:

run this search

index=_internal component=PackageDownloadRestHandler host=* app=<YourAppNameHere> earliest=-30d@d
| bin _time span=1h
| stats count by _time host app

This will show you when which host downloaded what app.

Hope this helps ...

cheers, MuS

View solution in original post

sloshburch · ‎03-16-2018

Another option for an answer that I just stumbled on:

index=_introspection component=deployment.app
| stats latest(data.version) AS version, latest(data.enabled) AS state BY data.host, data.name

Using the introspection data to see what's installed. Gotchas:

Makes sure the forwarders are on a version that supports introspection: https://docs.splunk.com/Documentation/Splunk/latest/Troubleshooting/Abouttheplatforminstrumentationf...
Make sure the forwarders have introspection enabled: https://docs.splunk.com/Documentation/Splunk/latest/Troubleshooting/ConfigurePIF#Enable_logging_on_a...

So, it's certainly more complicated of an approach BUT if you already have it all configured then it's worth exploring!

MuS · ‎03-13-2018

Hi a212830,

the hard way:

change any setting in the local directory and wait for 5 minutes (default phone home interval). If the changes are gone, this app is deployed using deployment server.

the easy way:

run this search

index=_internal component=PackageDownloadRestHandler host=* app=<YourAppNameHere> earliest=-30d@d
| bin _time span=1h
| stats count by _time host app

This will show you when which host downloaded what app.

Hope this helps ...

cheers, MuS

a212830 · ‎03-14-2018

Thanks. I modified it to give me "peer" instead of host for the stats, and it worked great.

sloshburch · ‎03-14-2018

Great answer! A couple of adjustments and additions.

You mentioned 5 minutes as the default phone home but I think it's 60 seconds: http://docs.splunk.com/Documentation/Splunk/latest/Admin/Deploymentclientconf

phoneHomeIntervalInSecs = <number in seconds>
* Defaults to 60.
* Fractional seconds are allowed.
* This determines how frequently this deployment client should check for new
  content.

I think there's a way to ping the remote instance and use the REST API to discover if the app is installed. It may depend on if splunkd knows it's there (versus someone manually placing the app folder and not restarting).
I think the /apps/local endpoint is the one to use for that as per http://docs.splunk.com/Documentation/Splunk/latest/RESTREF/RESTapps#apps.2Flocal

I could swear there's a splunkbase app someone put together for this specific challenge but I can't seem to find it right now. Some apps worth peeking into as an option could be:
* Btool Scripted Inputs for Splunk - https://splunkbase.splunk.com/app/3590/#/details
* Internal change management for Splunk configs - https://splunkbase.splunk.com/app/2627/

MuS · ‎03-14-2018

My bad, for whatever reason I thought the default for phoneHomeIntervalInSecs was 300 - ¯\_(ツ)_/¯ ... anyway this is the app you're looking for : https://splunkbase.splunk.com/app/2775/

cheers, MuS

sloshburch · ‎03-15-2018

All good! Great catch on the app!

How to tell if an app was installed via deployment server

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases