Dashboards & Visualizations

How to create a report that lists of all enabled apps on Splunk Universal Forwarders and their versions?

paoloromagnoli
New Member

I would like to create a report/dashboard that includes among other things the list of Splunk apps installed on universal forwarders and their versions.
I created the report for apps installed on heavy forwarders and other Splunk components using the REST API. Any idea for universal forwarders? Also on the deployment server I was not able to spot if that info is indexed somewhere

0 Karma
1 Solution

woodcock
Esteemed Legend

This would make an excellent Modular Input App exercise. Your script will go to $SPLUNK_HOME/etc/apps/ and list out each directory and then go into each application directory and look for a app.conf file first in local and then in default. Inside of that find the line that says version=valiue line and grab the value. There might be an app on Splunkbase that already does this.

View solution in original post

gcusello
SplunkTrust
SplunkTrust

Hi @paoloromagnoli,

try this

| rest splunk_server=local /services/deployment/server/clients
| table hostname ip utsname *.restartSplunkd
| eval temp=hostname."#".ip."#".utsname 
| table temp *.restartSplunkd
| eval application.NoApp.restartSplunkd=0
| untable temp apps count 
| eval Apps=if(like(apps,"app%"),mvindex(split(apps,"."),1),null()) 
| eval ServerClass=if(like(apps,"server%"),mvindex(split(apps,"."),1),null() ) 
| rex field=temp "(?<Host>.*)#(?<Host_IP>.*)#(?<Machine_Type>.*)" 
| table Host Host_IP Machine_Type Apps ServerClass 
| stats Values(*) as * dc(Apps) AS dc_apps by Host Host_IP Machine_Type
| eval Apps=if(dc_apps=1,Apps,mvindex(Apps,1,10))
| nomv Apps
| nomv ServerClass
| fillnull value="NoSC" ServerClass

Ciao.

Giuseppe

0 Karma

Abha111
Loves-to-Learn Lots

Hi Paoloromagnoli,

 

Could you please share the rest query you used to create a report for apps installed on heavy forwarders and other Splunk components using the REST API.

Tags (1)
0 Karma

woodcock
Esteemed Legend

This would make an excellent Modular Input App exercise. Your script will go to $SPLUNK_HOME/etc/apps/ and list out each directory and then go into each application directory and look for a app.conf file first in local and then in default. Inside of that find the line that says version=valiue line and grab the value. There might be an app on Splunkbase that already does this.

paoloromagnoli
New Member

That was my first idea... I was only trying to seeif that info was already present some where in some index
Thanks,
Paolo

0 Karma
Get Updates on the Splunk Community!

Understanding Generative AI Techniques and Their Application in Cybersecurity

Watch On-Demand Artificial intelligence is the talk of the town nowadays, with industries of all kinds ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Using the Splunk Threat Research Team’s Latest Security Content

REGISTER HERE Tech Talk | Security Edition Did you know the Splunk Threat Research Team regularly releases ...