Archive
Highlighted

How to tell if an app was installed via deployment server

Champion

Hi,

Is there anyway to tell via splunk logs when apps are being installed via the deployment server on specific hosts? We don't have visibility into the servers, and need it to trouble-shoot some issues.

0 Karma
Highlighted

Re: How to tell if an app was installed via deployment server

SplunkTrust
SplunkTrust

Hi a212830,

the hard way:

change any setting in the local directory and wait for 5 minutes (default phone home interval). If the changes are gone, this app is deployed using deployment server.

the easy way:

run this search

index=_internal component=PackageDownloadRestHandler host=* app=<YourAppNameHere> earliest=-30d@d
| bin _time span=1h
| stats count by _time host app

This will show you when which host downloaded what app.

Hope this helps ...

cheers, MuS

View solution in original post

Highlighted

Re: How to tell if an app was installed via deployment server

Ultra Champion

Great answer! A couple of adjustments and additions.

You mentioned 5 minutes as the default phone home but I think it's 60 seconds: http://docs.splunk.com/Documentation/Splunk/latest/Admin/Deploymentclientconf

phoneHomeIntervalInSecs = <number in seconds>
* Defaults to 60.
* Fractional seconds are allowed.
* This determines how frequently this deployment client should check for new
  content.

I think there's a way to ping the remote instance and use the REST API to discover if the app is installed. It may depend on if splunkd knows it's there (versus someone manually placing the app folder and not restarting).
I think the /apps/local endpoint is the one to use for that as per http://docs.splunk.com/Documentation/Splunk/latest/RESTREF/RESTapps#apps.2Flocal

I could swear there's a splunkbase app someone put together for this specific challenge but I can't seem to find it right now. Some apps worth peeking into as an option could be:
* Btool Scripted Inputs for Splunk - https://splunkbase.splunk.com/app/3590/#/details
* Internal change management for Splunk configs - https://splunkbase.splunk.com/app/2627/

Highlighted

Re: How to tell if an app was installed via deployment server

SplunkTrust
SplunkTrust

My bad, for whatever reason I thought the default for phoneHomeIntervalInSecs was 300 - ¯\_(ツ)_/¯ ... anyway this is the app you're looking for : https://splunkbase.splunk.com/app/2775/

cheers, MuS

Highlighted

Re: How to tell if an app was installed via deployment server

Ultra Champion

All good! Great catch on the app!

0 Karma
Highlighted

Re: How to tell if an app was installed via deployment server

Champion

Thanks. I modified it to give me "peer" instead of host for the stats, and it worked great.

0 Karma
Highlighted

Re: How to tell if an app was installed via deployment server

Ultra Champion

Another option for an answer that I just stumbled on:

index=_introspection component=deployment.app
| stats latest(data.version) AS version, latest(data.enabled) AS state BY data.host, data.name

Using the introspection data to see what's installed. Gotchas:

  1. Makes sure the forwarders are on a version that supports introspection: https://docs.splunk.com/Documentation/Splunk/latest/Troubleshooting/Abouttheplatforminstrumentationf...
  2. Make sure the forwarders have introspection enabled: https://docs.splunk.com/Documentation/Splunk/latest/Troubleshooting/ConfigurePIF#Enable_logging_on_a...

So, it's certainly more complicated of an approach BUT if you already have it all configured then it's worth exploring!

0 Karma