- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a standalone instance of Splunk. I am running both:
- Splunk Add-on for Unix and Linux, and
- Splunk App for Unix.
Since the Splunk App for Unix has reached End-of-Life and is not required in my deployment anymore i am looking to remove it. Initially i tried just using Splunk command:
./splunk remove app splunk_app_for_nix
However noticed that this impacts the index "os" used by the Splunk Add-on for Unix and Linux. The index no longer appears in the web gui under settings>indexes. If i look in the CLI, i can still see data in /opt/splunk/os/db, so the data still appears to be there, but is not being used apparently.... I am getting Message saying "Received event for unconfigured/disabled/deleted index=os ...", so am not entirely sure what the status of this index is now.
What is the best way to remove this app without affecting the index?
Thanks,
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So looking through the Splunk_TA_nix add-on:
- The add-ons indexes.conf does reference index os. (which is good).
- The add-ons local/inputs.conf also references the index os (which is good).
Looking through the splunk_app_for_nix:
- it doesn't have an indexes.conf defined at all.
- inputs.conf, props.conf, transforms.conf don't reference index os.
- I did notice that the app has a conf file default/macros.conf and local/macros.conf which do reference index=os.
I went into the splunk_app_for_nix and looked at the settings tab. I changed the value for index on this settings tab in the GUI, so that it referenced a dummy index rather than the index os (which it does by default). Then i went and used the ./splunk remove app command. The app was removed without affecting the index :-). So it must have been the GUI setup writing to the splunk_app_for_nix macros.conf file which was causing the linkage to the index os and causing me pain when i removed the app.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Rolled back my server to a snapshot earlier today so i could have a look at the starting point, before i'd made any changes.
Looking through splunk_app_for_nix:
- no index.conf present
- inputs.conf, props.conf and transforms.conf in the default folder, don't seem to make reference to the index at all.
Looking at Splunk_TA_nix. The Default folder has a copy of indexes.conf which does define the indexes.
So, so far so good i think.
Although went and had a look at the configuration screen of the Splunk App for Unix. I noticed that it had a reference to index=os in the settings tab. Could this have caused the issue?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @mike_k,
if you have the definition of os index in indexes.conf in TA-nix and there isn't any difference in props.conf and transforms.conf, you shouldn't have problems to delete the nix app, but, did you checked both default and local folders in nix App?
Maybe the problem is another: in the inputs.conf stanzas (in TA-nix), is there the indication of index (index=os) or not?
You should have it.
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So looking through the Splunk_TA_nix add-on:
- The add-ons indexes.conf does reference index os. (which is good).
- The add-ons local/inputs.conf also references the index os (which is good).
Looking through the splunk_app_for_nix:
- it doesn't have an indexes.conf defined at all.
- inputs.conf, props.conf, transforms.conf don't reference index os.
- I did notice that the app has a conf file default/macros.conf and local/macros.conf which do reference index=os.
I went into the splunk_app_for_nix and looked at the settings tab. I changed the value for index on this settings tab in the GUI, so that it referenced a dummy index rather than the index os (which it does by default). Then i went and used the ./splunk remove app command. The app was removed without affecting the index :-). So it must have been the GUI setup writing to the splunk_app_for_nix macros.conf file which was causing the linkage to the index os and causing me pain when i removed the app.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Actually after a little more experimentation i discovered that the above listed resolution wasn't actually the solution. I had been doing two separate activities around the same time:
- removing the old unix App
- upgrading the Splunk_TA_nix add-on as well.
It turns out that it was the upgrade (rather than the removal) that was causing my issues. The upgrade was blatting out my default and local indexes.conf files. After the upgrade i just needed to replace these files.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @mike_k,
good for you, see next time!
Ciao and happy splunking
Giuseppe
P.S.: Karma Points are appreciated 😉
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @mike_k ,
good for you, see next time!
Ciao and happy splunking
Giuseppe
P.S.: Karma Points are appreciated 😉
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @mike_k,
Check if indexes.conf is in this app or in in the Splunk TA_nix: if indexes.conf is in this App, move it into the TA-nix.
Then check inputs.conf, props.conf and transforms.conf, but they should already be in the TA-nix, in every case, check eventual differences (they shouldn't be present).
Ciao.
Giuseppe
