Monitoring Splunk

is there a way to retrieve splunk server installation date from internal or audit index?

RiccardoV
Communicator

Hi guys,
I should retrieve installation date and some other splunk server informations directly from a standard search. Is it possible?

1 Solution

MuS
SplunkTrust
SplunkTrust

Hi RiccardoV,

if there wasn't done any splunk clean all and the setup is no longer then 6 years ago, you could search the index=_audit and see when you have the earliest events. That should give you at least some date and time. But you still cannot tell, if this is the real installation date or just a date after the last clean all.

index=_internal will keep its event by default only for 30 days.

hope this helps ...

cheers, MuS

View solution in original post

neelamssantosh
Contributor

On Unix:
1. rpm -qa| grep splunk
2. rpm -qi splunk-6.0.4-207768.x86_64 (Installed, other details.. )

0 Karma

RiccardoV
Communicator

I need to take that data INSIDE splunk

0 Karma

neelamssantosh
Contributor

In Web UI -> indexes,
look for earliest time.
Hope it can help u..

0 Karma

kristian_kolb
Ultra Champion

And also, it perfectly normal to set up a Splunk server and then import archived log files (which could easily be several years old), so looking at the earliest timestamp of an event is not a 100% certain solution.

/k

0 Karma

MuS
SplunkTrust
SplunkTrust

I already answered this question, but here would be the next answer to the next question. Remember this is also only valid if there was no splunk clean all done. So here would be the equal search to the UI approach:

 | rest /services/data/indexes | search title=main | table title minTime splunk_server

In this example uses only index=main and bear in mind, that on a search head you will get results form all search peers were as in the UI you will get even on a search head only the local index report.

cheers, MuS

RiccardoV
Communicator

I need to retrieve the value from a search

0 Karma

MuS
SplunkTrust
SplunkTrust

Hi RiccardoV,

if there wasn't done any splunk clean all and the setup is no longer then 6 years ago, you could search the index=_audit and see when you have the earliest events. That should give you at least some date and time. But you still cannot tell, if this is the real installation date or just a date after the last clean all.

index=_internal will keep its event by default only for 30 days.

hope this helps ...

cheers, MuS

View solution in original post

RiccardoV
Communicator

thanks @MuS, it helps very much! I hoped in a different (and most "unique" solution) 🙂

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!