Splunk Info
2 Votes |
Description
A listing of Splunk client information for Windows.
The Bar operator ("|") requires BES Client v8. Without this, several of the string-based properties will return errors if Splunk is not installed or configured on the client.
The Socket objects require BES Client v9. This is used to test connection status to the Splunk servers, and assumes connections on default Splunk port of 9997.
It's difficult to read status from the splunkd.log file, as the file is locked, and the information contained in the file itself is often misleading.
Property Details
2994522 | |
Beta - Preliminary testing ready for more | |
Splunk Info | |
BESC | |
Splunk, Socket, Service | |
JasonWalker on 5/28/2013 4:11:38 PM | |
JasonWalker on 5/28/2013 4:11:38 PM | |
10377 Views / 62 Downloads | |
* Average over 0 ratings. ** Log In or Register to add your rating. |
Properties
SplunkInstalled
Period
6 hours
* Results in a true/false |
exists (keys of (key "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall" of native registry)) whose (value "DisplayName" of it = "Universal Forwarder" and value "Publisher" of it="Splunk, Inc.")
Version
Period
6 hours
* Results in a true/false |
value "DisplayVersion" of (keys of (key "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall" of native registry)) whose (value "DisplayName" of it = "Universal Forwarder" and value "Publisher" of it="Splunk, Inc.") as string | "N/A"
ServiceState
Period
1 hour
* Results in a true/false |
state of service "SplunkForwarder" as string | "Not Installed"
SplunkServer
Period
6 hours
* Results in a true/false |
preceding text of first ":" of following text of first "=" of (it) of line whose( ( if it does not contain ";" then it else preceding text of first ";" of it) as uppercase contains "TARGETURI" ) of file (value "InstallLocation" of (keys of (key "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall" of native registry)) whose (value "DisplayName" of it = "Universal Forwarder" and value "Publisher" of it="Splunk, Inc.") as string & "etc\system\local\deploymentclient.conf") as trimmed string | "N/A"
Server Connection Status
Period
30 minutes
* Results in a true/false |
exists (sockets of network) whose ((remote port of it = 9997) and (tcp state of it as string= "ESTABLISHED"))
Active Server IP Address
Period
30 minutes
* Results in a true/false |
unique values of (remote addresses of (sockets of network) whose ((remote port of it = 9997) and (tcp state of it as string= "ESTABLISHED")))
SplunkServerURI
Period
6 hours
* Results in a true/false |
following text of first "=" of (it) of line whose( ( if it does not contain ";" then it else preceding text of first ";" of it) as uppercase contains "TARGETURI" ) of file (value "InstallLocation" of (keys of (key "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall" of native registry)) whose (value "DisplayName" of it = "Universal Forwarder" and value "Publisher" of it="Splunk, Inc.") as string & "etc\system\local\deploymentclient.conf") as trimmed string | "N/A"
UninstallRegKey
Period
1 day
* Results in a true/false |
(keys of (key "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall" of native registry)) whose (value "DisplayName" of it = "Universal Forwarder" and value "Publisher" of it="Splunk, Inc.")
SplunkConfigFile
Period
1 day
* Results in a true/false |
(value "InstallLocation" of (keys of (key "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall" of native registry)) whose (value "DisplayName" of it = "Universal Forwarder" and value "Publisher" of it="Splunk, Inc.") as string & "etc\system\local\deploymentclient.conf") | "N/A"
InstallPath
Period
6 hours
* Results in a true/false |
preceding text of last "\" of (value "InstallLocation" of (keys of (key "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall" of native registry)) whose (value "DisplayName" of it = "Universal Forwarder" and value "Publisher" of it="Splunk, Inc.") as string) | "not installed"
ServiceInstalled
Period
1 day
Relevance
Sharing
Social Media: |
Comments
|
|
Does this work for your case? https://bigfix.me/relevance/details/3017230 |
|
|
what is this part for? `( if it does not contain ";" then it else preceding text of first ";" of it)` ... also, in my case, the server that is being used is given by `server = ` in a different config file, rather than `targeturi =` |
|
|
I'm working on an updated version of this here: https://bigfix.me/analysis/details/2998315 |