Is there any meta data that identifies when a splu...

lisaac · ‎05-27-2014

I am going through an audit, and I will need to identify when a splunk agent was installed on a system. The systems could be Windows 2003, 2008r2, 2012, Linux, AIX, or Solaris. I can look at the software configuration management application (SCCM or Bladelogi9c) for when Splunk was installed, but I wondered if Splunk had any metadata that could be searched to identify the very first installation date.

yannK · ‎05-27-2014

The only thing you will find is the first_install and migration files in $SPLUNK_HOME/var/log/splunk/

example :

first_install.log (check the file creation timestamp)
migration.log.2014-05-21.18-48-17 (check the filename or file creation timestamp)

But they will be old and if they were indexed, they will have been long time gone from the _internal index (30 days retention). You could setup a new script to collect them again (use crcSalt to force the reindexing), and send them to an index that has a long time retention

lisaac · ‎05-27-2014

Thank you for the information. This is what I needed.

Is there any meta data that identifies when a splunk agent was first installed?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation