How to get Apps installed in HF using splunk?

sekhar463 · ‎07-20-2023

errors

m_pham · ‎07-21-2023

If you have an on-prem monitoring console host, then you'd be able to query the apps on your HF's like you did with the rest command. I'm not aware of a method of doing that on Splunk Cloud since it can't peer to on-prem environments. I'll let others add their input if they know of anything.

isoutamo · ‎07-21-2023

Hi

as @m_pham said you can add local MC node to monitoring your OnPrem HF etc. Then just add those HF as indexers there and then it should work.

Even easier way is do that query on HF command line (or GUI) locally. No need to add anything else there. You could also use REST (e.g. via cURL) on cmd line.

More from docs https://docs.splunk.com/Documentation/Splunk/9.1.0/Search/SearchwithSplunkWeb,CLI,orRESTAPI

If you are needing only list of installed apps then you should use

splunk list app|egrep ENABLED

This gives you a list of enabled apps.

r. Ismo

sekhar463 · ‎07-24-2023

Hai,

Thanks for your response.

can we get those data into splunk search which is splunk cloud i am using for the Apps information in HF"S

isoutamo · ‎07-24-2023

You can’t get those automatic to SC. If you really need those tho SC, you need to create own app which collect those on every HF and send them to SC.

What is your issue which you are trying to solve?

sekhar463 · ‎07-24-2023

i want to collect the data about App installed in all of my HF"S into splunk cloud .

i have a splunk search to get the data but how can i send this OUTPUT to splunk cloud as we have on-prem HF"S

| rest /services/apps/local
| search disabled=0 AND version!=1.0.0 AND check_for_updates = 1 AND update.version!=null
| rename update.version AS New_version
| table label title author version update.name New_version version update.homepage description docs_section_override

isoutamo · ‎07-24-2023

You cannot get that information directly from any HFs as you cannot add those as a search peers to SC. So only way is add app to all HFs which collect that information and then send it regularly to SC into some index. Then you could query towards it.

I’m not sure if you could try this with _conftrack (or what was name of this index?) I cannot check it now, but you could try it.

cklunck · ‎07-30-2023

index=_configtracker

sekhar463 · ‎07-27-2023

can you tell me the configuration for this.

is it by using HEC token

isoutamo · ‎07-27-2023

As I said, you need to create a TA which contains e.g. scripted inputs for collecting that information from HF/UF. Then you need add sourcetype and maybe something else what you want to it. Store those on some index on indexers on SC. For that you should add index definition on SC (or add those to your app).
After you have deployed that TA to your HF/UFs, you could query needed information on SC.

sekhar463 · ‎07-28-2023

for below REST Api SEARCH how can i configure the script in the inputs.conf files

| rest /services/apps/local 
| search disabled=0 AND version!=1.0.0 AND check_for_updates = 1 AND update.version!=null
| rename update.version AS New_version 
| table label title author version update.name New_version version update.homepage description docs_section_override

How to get Apps installed in HF using splunk?

administration

configuration

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio