I am going through an audit, and I will need to identify when a splunk agent was installed on a system. The systems could be Windows 2003, 2008r2, 2012, Linux, AIX, or Solaris. I can look at the software configuration management application (SCCM or Bladelogi9c) for when Splunk was installed, but I wondered if Splunk had any metadata that could be searched to identify the very first installation date.
The only thing you will find is the first_install and migration files in $SPLUNK_HOME/var/log/splunk/
first_install.log (check the file creation timestamp)
migration.log.2014-05-21.18-48-17 (check the filename or file creation timestamp)
But they will be old and if they were indexed, they will have been long time gone from the _internal index (30 days retention). You could setup a new script to collect them again (use crcSalt to force the reindexing), and send them to an index that has a long time retention