I am going through an audit, and I will need to identify when a splunk agent was installed on a system. The systems could be Windows 2003, 2008r2, 2012, Linux, AIX, or Solaris. I can look at the software configuration management application (SCCM or Bladelogi9c) for when Splunk was installed, but I wondered if Splunk had any metadata that could be searched to identify the very first installation date.
The only thing you will find is the first_install and migration files in $SPLUNK_HOME/var/log/splunk/
example :
But they will be old and if they were indexed, they will have been long time gone from the _internal index (30 days retention). You could setup a new script to collect them again (use crcSalt to force the reindexing), and send them to an index that has a long time retention
Thank you for the information. This is what I needed.