Getting Data In

Is there any meta data that identifies when a splunk agent was first installed?

Path Finder

I am going through an audit, and I will need to identify when a splunk agent was installed on a system. The systems could be Windows 2003, 2008r2, 2012, Linux, AIX, or Solaris. I can look at the software configuration management application (SCCM or Bladelogi9c) for when Splunk was installed, but I wondered if Splunk had any metadata that could be searched to identify the very first installation date.

Tags (2)
0 Karma

Splunk Employee
Splunk Employee

The only thing you will find is the first_install and migration files in $SPLUNK_HOME/var/log/splunk/

example :

  • first_install.log (check the file creation timestamp)
  • migration.log.2014-05-21.18-48-17 (check the filename or file creation timestamp)

But they will be old and if they were indexed, they will have been long time gone from the _internal index (30 days retention). You could setup a new script to collect them again (use crcSalt to force the reindexing), and send them to an index that has a long time retention

Path Finder

Thank you for the information. This is what I needed.

0 Karma