Splunk Search

How to search a list of all enabled apps in Splunk and their versions on a search head?

Path Finder

Hi,

Could you please help me to create a search which can list all apps enabled in Splunk (on splunk search head) and their respective version number? We have multiple Search heads and there is significant difference in app versions on each Search head. I used ./splunk display app command, but its listing only apps and not showing the app version. From the GUI I can see them in manage apps, but the number of apps is huge. Is there any search available to list enabled apps along with their version ?

1 Solution

SplunkTrust
SplunkTrust

Hi thezero,

you can run this REST search:

| rest /services/apps/local | search disabled=0 | table label version

Hope that helps ...

cheers, MuS

View solution in original post

SplunkTrust
SplunkTrust

Hi thezero,

you can run this REST search:

| rest /services/apps/local | search disabled=0 | table label version

Hope that helps ...

cheers, MuS

View solution in original post

Is there any way to display results in a report for the entire environment (ie. sh1, sh2, sh3...etc) or will it need to be run individually for each instance?

0 Karma

Contributor

Hi @MuS ,

Is there a way to remove the list of splunk's default apps like "Home , learned , Search & Reporting etc ...
I want the list of the apps deployed by me via the deployer..

0 Karma

Path Finder

What if GUI of my Splunk HF is disabled and I want to search a list of all enabled apps and their versions on my Splunk HF?

0 Karma

SplunkTrust
SplunkTrust

You know that you can run a REST search on a remote server?

If it is a search peer, simple run the search and add splunk_server=MyHeavyWeightForwarder to it, or run a remote search from the CLI :

$SPLUNK_HOME/bin/splunk search "| rest /services/apps/local | search disabled=0 | table label version" -uri https://MyHeavyWeightForwarder:8089

BUT, This will only work if you either changed the default password or allowed remote logins.

cheers, MuS

Communicator

HI @sarnagar

can you try putting core=0 in the saerch provided by @MuS ,

something like this

| rest /services/apps/local | search disabled=0 core=0|dedup label  | table label version

Hope that helps
thanks

Contributor

Hi @nawneel ,

That worked..!! Thankyou 🙂

0 Karma

Communicator

@Mus, @nawneel, Thank you! these two helped.

But is there a way to make the resultant fields to work like hyperlinks to their respective apps. I have multiple apps. I now want to use this resultant report like a list and when an app name is clicked, that should redirect to the app's home page.

0 Karma

SplunkTrust
SplunkTrust

@sh254087, sur you can; it is called conditional drill down and you can find more detail here http://docs.splunk.com/Documentation/Splunk/latest/Viz/DrilldownIntro
Take a look at this run everywhere example, and please note the extra option visible=1 which must be added otherwise uses could click on Apps that are not visible and encounter errors.

<dashboard>
  <label>App drill down panel</label>
  <row>
    <panel>
      <table>
        <search>
          <query>| rest /services/apps/local | search disabled=0 core=0 visible=1 |dedup label | table label title</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
        <drilldown>
          <link target="_self">/app/$row.title$</link>
        </drilldown>
      </table>
    </panel>
  </row>
</dashboard>

cheers, MuS

Communicator

This is working! Thank you, @MuS
Cheers

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!