Of all of the Splunk searches I've made over the last couple years the one I keep coming back to time after time is this
index=_internal sourcetype=splunkd deployedapplication (removing OR installing OR uninstalling) NOT "removing app at location" | rex "DeployedApplication - (?<Action>\S+)\sapp(\=|\S+\s)(?<App>\S+)" | eval Action = case(Action="Removing" , "Removing" , Action="Uninstalling" , "Removing" , Action="Installing" , "Installing" , 1=1,"Fix me") | rex "(Removing|Installing) app=(?<Version>\S+)" | eval Version = if(isnull(Version),"5x","-= 6x =-") | dedup _time host Action App Version | table _time host Action App Version | sort -_time
This search shows apps being installed or removed at agent level and is invaluable from an admin perspective. I have it saved to run in 5 minute real-time which is a good window for us as our agents only check into our deployment server every 3 minutes.
