Splunk Search

How to search a list of all enabled apps in Splunk and their versions on a search head?

thezero
Path Finder

Hi,

Could you please help me to create a search which can list all apps enabled in Splunk (on splunk search head) and their respective version number? We have multiple Search heads and there is significant difference in app versions on each Search head. I used ./splunk display app command, but its listing only apps and not showing the app version. From the GUI I can see them in manage apps, but the number of apps is huge. Is there any search available to list enabled apps along with their version ?

1 Solution

MuS
Legend

Hi thezero,

you can run this REST search:

| rest /services/apps/local | search disabled=0 | table label version

Hope that helps ...

cheers, MuS

View solution in original post

MuS
Legend

Hi thezero,

you can run this REST search:

| rest /services/apps/local | search disabled=0 | table label version

Hope that helps ...

cheers, MuS

andrea_l_davila
Explorer

Is there any way to display results in a report for the entire environment (ie. sh1, sh2, sh3...etc) or will it need to be run individually for each instance?

0 Karma

liaodf
Loves-to-Learn Lots

did you find this answer? to list where the apps were install, SH, SH1, IDM, IDX, etc.

0 Karma

andrea_l_davila
Explorer

Yes, I used this query:

| rest /services/apps/local splunk_server=* 
| search disabled=0 core=0
| fields title label version splunk_server
| stats values(title) as title, values(label) as label, values(version) as version, by splunk_server

disabled=0 is only listing the apps that are enabled (in use)

core=0 is only listing the apps that are not Splunk core apps (part of the install pkg)

sarnagar
Contributor

Hi @MuS ,

Is there a way to remove the list of splunk's default apps like "Home , learned , Search & Reporting etc ...
I want the list of the apps deployed by me via the deployer..

0 Karma

kishor_pinjark2
Path Finder

What if GUI of my Splunk HF is disabled and I want to search a list of all enabled apps and their versions on my Splunk HF?

0 Karma

MuS
Legend

You know that you can run a REST search on a remote server?

If it is a search peer, simple run the search and add splunk_server=MyHeavyWeightForwarder to it, or run a remote search from the CLI :

$SPLUNK_HOME/bin/splunk search "| rest /services/apps/local | search disabled=0 | table label version" -uri https://MyHeavyWeightForwarder:8089

BUT, This will only work if you either changed the default password or allowed remote logins.

cheers, MuS

nawneel
Communicator

HI @sarnagar

can you try putting core=0 in the saerch provided by @MuS ,

something like this

| rest /services/apps/local | search disabled=0 core=0|dedup label  | table label version

Hope that helps
thanks

sarnagar
Contributor

Hi @nawneel ,

That worked..!! Thankyou 🙂

0 Karma

sh254087
Communicator

@Mus, @nawneel, Thank you! these two helped.

But is there a way to make the resultant fields to work like hyperlinks to their respective apps. I have multiple apps. I now want to use this resultant report like a list and when an app name is clicked, that should redirect to the app's home page.

0 Karma

MuS
Legend

@sh254087, sur you can; it is called conditional drill down and you can find more detail here http://docs.splunk.com/Documentation/Splunk/latest/Viz/DrilldownIntro
Take a look at this run everywhere example, and please note the extra option visible=1 which must be added otherwise uses could click on Apps that are not visible and encounter errors.

<dashboard>
  <label>App drill down panel</label>
  <row>
    <panel>
      <table>
        <search>
          <query>| rest /services/apps/local | search disabled=0 core=0 visible=1 |dedup label | table label title</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
        <drilldown>
          <link target="_self">/app/$row.title$</link>
        </drilldown>
      </table>
    </panel>
  </row>
</dashboard>

cheers, MuS

sh254087
Communicator

This is working! Thank you, @MuS
Cheers

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...