Getting Data In

Search for a list of installed packages with version numbers for a host

yrb6924
New Member

I've managed to create a search which will list for me all installed packages on a particular host, but I need to have a list of packages with the version number. Any idea how I can modify/improve this search to give me this?

host=[hostname] sourcetype=package | multikv noheader=t | rex "(?\S+)" | stats dc(host) as dc by package | eventstats max(dc) as max | where dc = max | table package

Tags (2)
0 Karma

marklaw2
Explorer

Here's what I use to pull all software installed on Linux machines.

A different type of output show hosts and installed software:

sourcetype=package index=os
| multikv noheader=t
| rex field=_raw "^(?P[^ ]+)\s+(?P[^ ]+)\s+(?P[^ ]+)\s+(?P\w+)"
| search NOT NAME NOT VERSION NOT RELEASE NOT ARCH
| dedup host package version release arch
|table host package version release arch

0 Karma

yrb6924
New Member

In fact what I need is even easier:

index=os host="[hostname]*" sourcetype=package | dedup host

0 Karma

dmaislin_splunk
Splunk Employee
Splunk Employee

If you have a version field then modify your search. Notice that I also sorted it in descending order and only display top 10.

host=[hostname] sourcetype=package | multikv noheader=t | rex "(?<package>S+)" | stats dc(host) as dc by package,version | sort - dc | head 10
0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...