Installation

How do I find out when my Splunk environment was installed/deployed?

inventsekar
SplunkTrust
SplunkTrust

On the Splunk-7.1.2-InheritedDeployment.pdf, i was looking for any ideas about finding out when was my Splunk environment was installed/deployed...

However, no answers were there...

Tags (1)
0 Karma
1 Solution

FrankVl
Ultra Champion

Have a look on your splunk servers, in root of the splunk install folder for the creation date of the oldest manifest file. Unless the previous admin manually cleaned those up when doing upgrades, that should give you an idea of when the install was first done.

That, or look at the creation date of var/log/splunk/first_install.log

View solution in original post

0 Karma

FrankVl
Ultra Champion

Have a look on your splunk servers, in root of the splunk install folder for the creation date of the oldest manifest file. Unless the previous admin manually cleaned those up when doing upgrades, that should give you an idea of when the install was first done.

That, or look at the creation date of var/log/splunk/first_install.log

0 Karma

woodcock
Esteemed Legend

WARNING! This answer is wrong.  The date of this file will be the date of the file when it was packaged in the installer (tgz/rpm).

0 Karma

inventsekar
SplunkTrust
SplunkTrust

Superb.. thanks @FrankVl (my sincere apologies for the delay in accepting this as answer)

0 Karma

inventsekar
SplunkTrust
SplunkTrust

any other ideas, suggestions.. please reply...

0 Karma

inventsekar
SplunkTrust
SplunkTrust

from Lowell and dveuve's answer at
https://answers.splunk.com/answers/4119/how-to-return-time-of-first-event-in-an-index.html

You can get first/last information from your index like this using the metadata command, that is the fastest way to get this information:

| metadata index=foo type=hosts | stats max(lastTime), min(firstTime)

If you want to convert that into a more readable time format, try something like this:

| metadata index=foo type=hosts | stats max(lastTime) as lastTime, min(firstTime) as firstTime | convert ctime(*Time)

Be aware that if you have one host sending data in with the wrong timestamp, that will show up here. Most of your data could be a week old, but that one host with NTP disabled and a time setting of 1.25 years ago will make you think you are meeting your data retention requirement.

linux files date info - this will give the first and last events dates.. which may or may not be the splunk environment's install date.

one simple idea -
ls -tl /SPLUNK_install_HOME/splunk/bin/*
the oldest file on this directory, will give you approximate date(considering you have not done any major upgrade)

work around -
to find the oldest 10 files under your splunk installation directory -
find /opt/splunk/ -type f -printf '%T+ %p\n' | sort | head -n 10
10 files, to get more clear picture.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...