Solved: Search Head audit of all listed Apps \ TA's \ SA's...

Anthony_Faul · ‎09-27-2021

i all

I'm tasked with performing an audit of our Splunk (Cloud) Search Heads (2) as many Apps \ Add-Ons have been sporadically installed onto them over the years and problems are occurring.

The aim is to export the search to .CSV to compare, detect gaps, mismatches etc., identify candidates for upgrade or removal etc.

Any offers to help greatly appreciated.

PickleRick · ‎09-27-2021

You have a REST endpoint to manage apps.

https://docs.splunk.com/Documentation/Splunk/8.2.2/RESTREF/RESTapps

For example - to check for upgradeable apps you can do something like:

| rest /services/apps/local 
| where version!='update.version'
| table label version update.version

View solution in original post

PickleRick · ‎09-27-2021

You have a REST endpoint to manage apps.

https://docs.splunk.com/Documentation/Splunk/8.2.2/RESTREF/RESTapps

For example - to check for upgradeable apps you can do something like:

| rest /services/apps/local 
| where version!='update.version'
| table label version update.version

Anthony_Faul · ‎09-28-2021

Tnx @PickleRick

That's sufficient to provide me the details.

Search Head audit of all listed Apps \ TA's \ SA's via search command

chart

count

eval

field extraction

fields

lookup

metadata

regex

rex

stats

subsearch

table

timechart

tstats

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?