Deployment Architecture

How to create search/dashboard of Ubuntu hosts with installed updates requiring a reboot?

cinchnetops
Explorer

I'm trying to create a specific search/dashboard in Splunk Enterprise 7. We have hosts running Ubuntu 14.04 with the unattended-upgrades package installed and configured to run daily. When updates are installed that require a reboot, 2 files are created on each host: /var/run/reboot-required (with the text "*** System restart required ***") and /var/run/reboot-required.pkgs (containing the packages requesting the reboot). These files are removed upon rebooting the host.

The hosts have the universal forwarder installed and I have the 2 files mentioned above forwarded to our Splunk Enterprise server. Currently, I have this search set up as an alert:

sourcetype=reboot-required.pkgs | rex max_match=0 field=_raw "(?<Packages>[^\n]+)" | mvexpand Packages | eval _raw=Packages | stats values(Packages) as Packages dc(Packages) as "Package Count" by host

Within a given time period, I can see which hosts require a reboot and what packages are prompting the reboot.

Unfortunately, this search/dashboard does not give me the entire overview of ALL my hosts at THIS moment. For example, if I have hosts that last installed updates requiring a reboot a week ago, but have NOT since been rebooted, I would not see these hosts in the search results within the last 3 days (since there are no changes to the /var/run/reboot-required* files). However, I do expect to see no results IF the reboot-required* files do NOT exist on any host.

I want to get the latest status from the reboot-required* files on EACH host regardless of time frame. What is the best way to go about this?

Thanks in advance!

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...