I have a standalone instance of Splunk. I am running both:
Since the Splunk App for Unix has reached End-of-Life and is not required in my deployment anymore i am looking to remove it. Initially i tried just using Splunk command:
./splunk remove app splunk_app_for_nix
However noticed that this impacts the index "os" used by the Splunk Add-on for Unix and Linux. The index no longer appears in the web gui under settings>indexes. If i look in the CLI, i can still see data in /opt/splunk/os/db, so the data still appears to be there, but is not being used apparently.... I am getting Message saying "Received event for unconfigured/disabled/deleted index=os ...", so am not entirely sure what the status of this index is now.
What is the best way to remove this app without affecting the index?
Thanks,
So looking through the Splunk_TA_nix add-on:
Looking through the splunk_app_for_nix:
I went into the splunk_app_for_nix and looked at the settings tab. I changed the value for index on this settings tab in the GUI, so that it referenced a dummy index rather than the index os (which it does by default). Then i went and used the ./splunk remove app command. The app was removed without affecting the index :-). So it must have been the GUI setup writing to the splunk_app_for_nix macros.conf file which was causing the linkage to the index os and causing me pain when i removed the app.
Rolled back my server to a snapshot earlier today so i could have a look at the starting point, before i'd made any changes.
Looking through splunk_app_for_nix:
Looking at Splunk_TA_nix. The Default folder has a copy of indexes.conf which does define the indexes.
So, so far so good i think.
Although went and had a look at the configuration screen of the Splunk App for Unix. I noticed that it had a reference to index=os in the settings tab. Could this have caused the issue?
Hi @mike_k,
if you have the definition of os index in indexes.conf in TA-nix and there isn't any difference in props.conf and transforms.conf, you shouldn't have problems to delete the nix app, but, did you checked both default and local folders in nix App?
Maybe the problem is another: in the inputs.conf stanzas (in TA-nix), is there the indication of index (index=os) or not?
You should have it.
Ciao.
Giuseppe
So looking through the Splunk_TA_nix add-on:
Looking through the splunk_app_for_nix:
I went into the splunk_app_for_nix and looked at the settings tab. I changed the value for index on this settings tab in the GUI, so that it referenced a dummy index rather than the index os (which it does by default). Then i went and used the ./splunk remove app command. The app was removed without affecting the index :-). So it must have been the GUI setup writing to the splunk_app_for_nix macros.conf file which was causing the linkage to the index os and causing me pain when i removed the app.
Actually after a little more experimentation i discovered that the above listed resolution wasn't actually the solution. I had been doing two separate activities around the same time:
It turns out that it was the upgrade (rather than the removal) that was causing my issues. The upgrade was blatting out my default and local indexes.conf files. After the upgrade i just needed to replace these files.
Hi @mike_k,
good for you, see next time!
Ciao and happy splunking
Giuseppe
P.S.: Karma Points are appreciated 😉
Hi @mike_k ,
good for you, see next time!
Ciao and happy splunking
Giuseppe
P.S.: Karma Points are appreciated 😉
Hi @mike_k,
Check if indexes.conf is in this app or in in the Splunk TA_nix: if indexes.conf is in this App, move it into the TA-nix.
Then check inputs.conf, props.conf and transforms.conf, but they should already be in the TA-nix, in every case, check eventual differences (they shouldn't be present).
Ciao.
Giuseppe