Is it possible to retrieve the hashes of apps push...

quasikaze · ‎09-01-2016

According to the top answer in the question titled "Deployment Server - when app is redeployed, what is overwritten" (url listed below), the deployment server creates a hash of an app and compares it to the hash of what it has and then decides accordingly. Is there a file or database somewhere on the deployment server that contains the listing of hashes by app and computer? I would like to be able to retrieve them to validate the users aren't modifying anything on the universal forwarders. I want to get those hashes and then compare them to a hash of what's currently on the machine. I could write a script to go through and do this myself, but if there is some type of backend functionality Splunk has that I'm unaware of, that would be wonderful. Maybe there is already a different way to prevent a user from altering anything?

somesoni2 · ‎09-01-2016

On Deployment Server, you'll find the deployment bundles for each app assigned for each serverclass defined in serverclass.conf in below path

$SPLUNK_HOME/var/run/tmp/<<ServerClassName>>

App bundles to be found in $SPLUNK_HOME/var/run/tmp/<<ServerClassName>>/<<appname>>-timestmap.bundle

On the client/forwarder, last received bundle is stored in following path.

$SPLUNK_HOME/var/run/<<ServerClassName>>/<<appname>>-timestmap.bundle

Is it possible to retrieve the hashes of apps pushed by the deployment server before deploying?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms