Well, you can look in the Splunk internal logs. Search for
index=_internal "/appinstall/XXXXX"
where XXXXX
is the filesystem directory name of the app. This will give you a user name as well as the date and time of installation.
However, it is possible to install an app from the Linux or Windows command line. All you have to do is to untar the app into the appropriate $SPLUNK_HOME/etc/apps
folder, and perhaps restart Splunk. So you may need to examine the appropriate logs for your OS to determine if this is the case.
Well, you can look in the Splunk internal logs. Search for
index=_internal "/appinstall/XXXXX"
where XXXXX
is the filesystem directory name of the app. This will give you a user name as well as the date and time of installation.
However, it is possible to install an app from the Linux or Windows command line. All you have to do is to untar the app into the appropriate $SPLUNK_HOME/etc/apps
folder, and perhaps restart Splunk. So you may need to examine the appropriate logs for your OS to determine if this is the case.