Getting Data In

Is there a way to get a list of Splunk Apps that are installed on a deployment client running a universal forwarder?

Explorer

Through Forwarder Management, you can see Clients and list how many apps are installed on that client. What I want to be able to do is list the apps that are installed on a client, so if a client has three apps, how can I see what three apps are installed?

1 Solution

SplunkTrust
SplunkTrust

Run this query from your deployment server instance
Updated - fixed typo

| rest /services/deployment/server/clients splunk_server=local| table hostname applications*.stateOnClient | untable hostname applications value | eval applications=replace(applications,"applications\.(\w+)\.stateOnClient","\1") | stats values(applications) as applications by hostname

View solution in original post

SplunkTrust
SplunkTrust

Run this query from your deployment server instance
Updated - fixed typo

| rest /services/deployment/server/clients splunk_server=local| table hostname applications*.stateOnClient | untable hostname applications value | eval applications=replace(applications,"applications\.(\w+)\.stateOnClient","\1") | stats values(applications) as applications by hostname

View solution in original post

Path Finder

Your regex should read

"applications\.(\w+)\.stateOnClient","\1"

Missing an "s"

0 Karma

SplunkTrust
SplunkTrust

Good catch. Rectified now.

0 Karma

New Member

Is there a way to further get the versions for each app as well?

0 Karma

Explorer

Thanks, that's exactly what I was looking for.

0 Karma

Champion

What does untable do? that's a new one...

0 Karma

Path Finder

In our case this show app installed on Heavy Forwarder not Universal Forwarder.
Is there a way to list installed apps on Universal Forwarder if in the middle there also Heavy Forwarder?

Thanks and regards

0 Karma

SplunkTrust
SplunkTrust

It converts table like

X Y1 Y2 Y3...
------------------
X1  v1 v2 v3

to

X  Y value
v1 Y1 v1
v1 Y2 v2
v1 Y3 v3
0 Karma

Ultra Champion

Check out untable and xyseries. They are each other's yin and yang. Think about how timechart throws a column for each value of a field - doing or undoing stuff like that is where those two commands play.

0 Karma

Contributor

How can I further filter it for a specific host or a specific app?

0 Karma

Ultra Champion

Use the SPL commands 'search' or 'where' to filter your result set. Remember that the earlier you filter, the better the performance you'll get.

0 Karma

Contributor

Thank you @SloshBurch. Splunk should provide this functionality in the Forwarder management GUI.

0 Karma