the hard way:
change any setting in the
local directory and wait for 5 minutes (default phone home interval). If the changes are gone, this app is deployed using deployment server.
the easy way:
run this search
index=_internal component=PackageDownloadRestHandler host=* app=<YourAppNameHere> earliest=-30d@d | bin _time span=1h | stats count by _time host app
This will show you when which host downloaded what app.
Hope this helps ...
Great answer! A couple of adjustments and additions.
You mentioned 5 minutes as the default phone home but I think it's 60 seconds: http://docs.splunk.com/Documentation/Splunk/latest/Admin/Deploymentclientconf
phoneHomeIntervalInSecs = <number in seconds> * Defaults to 60. * Fractional seconds are allowed. * This determines how frequently this deployment client should check for new content.
I think there's a way to ping the remote instance and use the REST API to discover if the app is installed. It may depend on if splunkd knows it's there (versus someone manually placing the app folder and not restarting).
I think the
/apps/local endpoint is the one to use for that as per http://docs.splunk.com/Documentation/Splunk/latest/RESTREF/RESTapps#apps.2Flocal
I could swear there's a splunkbase app someone put together for this specific challenge but I can't seem to find it right now. Some apps worth peeking into as an option could be:
* Btool Scripted Inputs for Splunk - https://splunkbase.splunk.com/app/3590/#/details
* Internal change management for Splunk configs - https://splunkbase.splunk.com/app/2627/
Another option for an answer that I just stumbled on:
index=_introspection component=deployment.app | stats latest(data.version) AS version, latest(data.enabled) AS state BY data.host, data.name
Using the introspection data to see what's installed. Gotchas:
So, it's certainly more complicated of an approach BUT if you already have it all configured then it's worth exploring!