Solved: Re: Is there a way to get a list of Splunk Apps th...

kennybirdwell · ‎07-14-2016

Through Forwarder Management, you can see Clients and list how many apps are installed on that client. What I want to be able to do is list the apps that are installed on a client, so if a client has three apps, how can I see what three apps are installed?

somesoni2 · ‎07-14-2016

Run this query from your deployment server instance
Updated - fixed typo

| rest /services/deployment/server/clients splunk_server=local| table hostname applications*.stateOnClient | untable hostname applications value | eval applications=replace(applications,"applications\.(\w+)\.stateOnClient","\1") | stats values(applications) as applications by hostname

View solution in original post

somesoni2 · ‎07-14-2016

Run this query from your deployment server instance
Updated - fixed typo

| rest /services/deployment/server/clients splunk_server=local| table hostname applications*.stateOnClient | untable hostname applications value | eval applications=replace(applications,"applications\.(\w+)\.stateOnClient","\1") | stats values(applications) as applications by hostname

thambisetty · ‎06-21-2021

small correction:

if the application contains -(hyphen) then the regex from your search is not matching. for example application

applications.Splunk_TA_bit9-carbonblack.stateOnClient

I would suggest using below regex that will capture first . (period) to next .(period)

applications\.(.*)\.stateOnClient

————————————
If this helps, give a like below.

sogeniusio · ‎02-15-2018

Your regex should read

"applications\.(\w+)\.stateOnClient","\1"

Missing an "s"

somesoni2 · ‎02-15-2018

Good catch. Rectified now.

soofz · ‎12-19-2019

Is there a way to further get the versions for each app as well?

kennybirdwell · ‎07-15-2016

Thanks, that's exactly what I was looking for.

a212830 · ‎07-14-2016

What does untable do? that's a new one...

maurelio79 · ‎08-08-2019

In our case this show app installed on Heavy Forwarder not Universal Forwarder.
Is there a way to list installed apps on Universal Forwarder if in the middle there also Heavy Forwarder?

Thanks and regards

somesoni2 · ‎07-14-2016

It converts table like

X Y1 Y2 Y3...
------------------
X1  v1 v2 v3

to

X  Y value
v1 Y1 v1
v1 Y2 v2
v1 Y3 v3

sloshburch · ‎07-15-2016

Check out untable and xyseries. They are each other's yin and yang. Think about how timechart throws a column for each value of a field - doing or undoing stuff like that is where those two commands play.

ashabc · ‎06-15-2017

How can I further filter it for a specific host or a specific app?

sloshburch · ‎06-16-2017

Use the SPL commands 'search' or 'where' to filter your result set. Remember that the earlier you filter, the better the performance you'll get.

ashabc · ‎06-18-2017

Thank you @SloshBurch. Splunk should provide this functionality in the Forwarder management GUI.

Is there a way to get a list of Splunk Apps that are installed on a deployment client running a universal forwarder?

Developer Spotlight with Brett Adams

Index This | What can you do to make 55,555 equal 500?

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...