Getting Data In

Splunk REST API: How to get deployment app version, author and description?

joshuapetitt
Path Finder

I am trying to make some reports for apps and deployment apps.

I was able to use:

| rest /services/apps/local

to get the label, version, author and description of local apps.

How do I do I get this same information for the deployment-apps?

I've tried

| rest /services/deployment/server/applications

but it does not show the label, version, author or description?

Tags (2)
0 Karma

MuS
Legend

Hi joshuapetitt,

I don't think you will get this kind of information using this REST endpoint, because if you check the actual deployment-app using REST (let's say you have a deployment-app called myInputs)

| REST splunk_server=local /services/deployment/server/applications/myInputs/

you will get the author to be system, which is correct because the author here is related to the deployment bundle and not the app.

Another reason why I think you will not get this information using this REST endpoint, is that Splunk is not actually reading any of the app configs/files and therefore does not know anything about the app.

Most likely not the answer you wanted, but I think this is not feasible - sorry.

Hope this makes sense ...

cheers, MuS

joshuapetitt
Path Finder

Thank you for your reply. I also looked at a specific application using a similar request as your example and saw the same thing. What I really need is to see the label, version, author and description from the app.conf file in each deployment app. Is there another way to do what I am needing?

0 Karma

MuS
Legend

I don't think so, because as I wrote; Splunk is not reading any of the files in $SPLUNK_HOME/etc/deployment-apps/ directory and therefore does not not know the content. It just bundles each app, like a zip, and ships it to any configured UF ...

cheers, MuS

0 Karma

joshuapetitt
Path Finder

@MuS, do you know if I can ask the UFs about the apps they have? Is this info in any of the _internal indexes or anything like that? I know about the /services/deployment/server/clients endpoint, but this doesn't seem to have the info either.

0 Karma

MuS
Legend

This is the app you are looking for https://splunkbase.splunk.com/app/2775/ 😉

cheers, MuS

MuS
Legend

Nope, this information is not in _internal. There is an app available (cannot recall the name) that allows you to run remote REST calls to universal forwarders .....

cheers, MuS

0 Karma

joshuapetitt
Path Finder

Note, I'm not necessarily interested in what clients they are deployed to. I just need to get the label, version, author and description of the applications that can be deployed.

0 Karma

damiensurat
Contributor

Hi, I know that author is in the rest API call.. however, It seems that you may be looking for the information from the app.conf files of the applications themselves? eg: %splunkhome%\etc\apps[appname][default or
local folder]\app.conf

stanza:
[launcher]
version =
author =
description =

Which raises the question, are you looking for information for applications deployed to say a search head and already installed?

0 Karma

joshuapetitt
Path Finder

@damiensurat, I am looking for the information about the deployment-apps on a deployment server.

Basically, I need to report the app information about the apps that can be deployed (not that necessarily are deployed, or where they are deployed)

0 Karma

MuS
Legend

Reading this comment; why not simply setup a monitor in inputs.conf that indexes the deployment apps directory? This way you get what you want 😉

cheers, MuS

joshuapetitt
Path Finder

Thanks, at the end of the day this may be the easiest thing to do. I'd like to pull the data from each app.conf (so I can see the version and author information). But a custom forwarder to do this might be the easiest for me to accomplish.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...