Hi,
Could you please help me to create a search which can list all apps enabled in Splunk (on splunk search head) and their respective version number? We have multiple Search heads and there is significant difference in app versions on each Search head. I used ./splunk display app
command, but its listing only apps and not showing the app version. From the GUI I can see them in manage apps, but the number of apps is huge. Is there any search available to list enabled apps along with their version ?
Hi thezero,
you can run this REST search:
| rest /services/apps/local | search disabled=0 | table label version
Hope that helps ...
cheers, MuS
Hi thezero,
you can run this REST search:
| rest /services/apps/local | search disabled=0 | table label version
Hope that helps ...
cheers, MuS
Is there any way to display results in a report for the entire environment (ie. sh1, sh2, sh3...etc) or will it need to be run individually for each instance?
did you find this answer? to list where the apps were install, SH, SH1, IDM, IDX, etc.
Yes, I used this query:
| rest /services/apps/local splunk_server=*
| search disabled=0 core=0
| fields title label version splunk_server
| stats values(title) as title, values(label) as label, values(version) as version, by splunk_server
disabled=0 is only listing the apps that are enabled (in use)
core=0 is only listing the apps that are not Splunk core apps (part of the install pkg)
Hi @MuS ,
Is there a way to remove the list of splunk's default apps like "Home , learned , Search & Reporting etc ...
I want the list of the apps deployed by me via the deployer..
What if GUI of my Splunk HF is disabled and I want to search a list of all enabled apps and their versions on my Splunk HF?
You know that you can run a REST search on a remote server?
If it is a search peer, simple run the search and add splunk_server=MyHeavyWeightForwarder
to it, or run a remote search from the CLI :
$SPLUNK_HOME/bin/splunk search "| rest /services/apps/local | search disabled=0 | table label version" -uri https://MyHeavyWeightForwarder:8089
BUT, This will only work if you either changed the default password or allowed remote logins.
cheers, MuS
HI @sarnagar
can you try putting core=0 in the saerch provided by @MuS ,
something like this
| rest /services/apps/local | search disabled=0 core=0|dedup label | table label version
Hope that helps
thanks
Hi @nawneel ,
That worked..!! Thankyou 🙂
@Mus, @nawneel, Thank you! these two helped.
But is there a way to make the resultant fields to work like hyperlinks to their respective apps. I have multiple apps. I now want to use this resultant report like a list and when an app name is clicked, that should redirect to the app's home page.
@sh254087, sur you can; it is called conditional drill down and you can find more detail here http://docs.splunk.com/Documentation/Splunk/latest/Viz/DrilldownIntro
Take a look at this run everywhere example, and please note the extra option visible=1
which must be added otherwise uses could click on Apps that are not visible and encounter errors.
<dashboard>
<label>App drill down panel</label>
<row>
<panel>
<table>
<search>
<query>| rest /services/apps/local | search disabled=0 core=0 visible=1 |dedup label | table label title</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="percentagesRow">false</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
<drilldown>
<link target="_self">/app/$row.title$</link>
</drilldown>
</table>
</panel>
</row>
</dashboard>
cheers, MuS
This is working! Thank you, @MuS
Cheers