All Apps and Add-ons

What is the best way to remove this app without affecting the index?

mike_k
Path Finder

I have a standalone instance of Splunk. I am running both:

  • Splunk Add-on for Unix and Linux, and
  • Splunk App for Unix.

Since the Splunk App for Unix has reached End-of-Life and is not required in my deployment anymore i am looking to remove it. Initially i tried just using Splunk command:

./splunk remove app splunk_app_for_nix

However noticed that this impacts the index "os" used by the Splunk Add-on for Unix and Linux. The index no longer appears in the web gui under settings>indexes. If i look in the CLI, i can still see data in /opt/splunk/os/db, so the data still appears to be there, but is not being used apparently.... I am getting Message saying "Received event for unconfigured/disabled/deleted index=os ...", so am not entirely sure what the status of this index is now.

What is the best way to remove this app without affecting the index?

Thanks,

 

 

Labels (2)
0 Karma
1 Solution

mike_k
Path Finder

So looking through the Splunk_TA_nix add-on:

  • The add-ons indexes.conf does reference index os. (which is good).
  • The add-ons local/inputs.conf also references the index os (which is good).

Looking through the splunk_app_for_nix:

  • it doesn't have an indexes.conf defined at all.
  • inputs.conf, props.conf, transforms.conf don't reference index os.
  • I did notice that the app has a conf file default/macros.conf and local/macros.conf which do reference index=os. 

 

I went into the splunk_app_for_nix and looked at the settings tab. I changed the value for index on this settings tab in the GUI, so that it referenced a dummy index rather than the index os (which it does by default). Then i went and used the ./splunk remove app command. The app was removed  without affecting the index :-). So it must have been the GUI setup writing to the splunk_app_for_nix macros.conf file which was causing the linkage to the index os and causing me pain when i removed the app.

View solution in original post

0 Karma

mike_k
Path Finder

Rolled back my server to a snapshot earlier today so i could have a look at the starting point, before i'd made any changes.

Looking through splunk_app_for_nix:

  • no index.conf present
  • inputs.conf, props.conf and transforms.conf in the default folder, don't seem to make reference to the index at all.

Looking at Splunk_TA_nix. The Default folder has a copy of indexes.conf which does define the indexes.

So, so far so good i think.

Although went and had a look at the configuration screen of the Splunk App for Unix. I noticed that it had a reference to index=os in the settings tab. Could this have caused the issue?

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @mike_k,

if you have the definition of os index in indexes.conf in TA-nix  and there isn't any difference in props.conf and transforms.conf, you shouldn't have problems to delete the nix app, but, did you checked both default and local folders in nix App?

Maybe the problem is another: in the inputs.conf stanzas (in TA-nix), is there the indication of index (index=os) or not?

You should have it.

Ciao.

Giuseppe

0 Karma

mike_k
Path Finder

So looking through the Splunk_TA_nix add-on:

  • The add-ons indexes.conf does reference index os. (which is good).
  • The add-ons local/inputs.conf also references the index os (which is good).

Looking through the splunk_app_for_nix:

  • it doesn't have an indexes.conf defined at all.
  • inputs.conf, props.conf, transforms.conf don't reference index os.
  • I did notice that the app has a conf file default/macros.conf and local/macros.conf which do reference index=os. 

 

I went into the splunk_app_for_nix and looked at the settings tab. I changed the value for index on this settings tab in the GUI, so that it referenced a dummy index rather than the index os (which it does by default). Then i went and used the ./splunk remove app command. The app was removed  without affecting the index :-). So it must have been the GUI setup writing to the splunk_app_for_nix macros.conf file which was causing the linkage to the index os and causing me pain when i removed the app.

0 Karma

mike_k
Path Finder

Actually after a little more experimentation i discovered that the above listed resolution wasn't actually the solution. I had been doing two separate activities around the same time:

  • removing the old unix App
  • upgrading the Splunk_TA_nix add-on as well.

It turns out that it was the upgrade (rather than the removal) that was causing my issues. The upgrade was blatting out my default and local indexes.conf files. After the upgrade i just needed to replace these files.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @mike_k,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @mike_k ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @mike_k,

Check if indexes.conf is in this app or in in the Splunk TA_nix: if indexes.conf is in this App, move it into the TA-nix.

Then check inputs.conf, props.conf and transforms.conf, but they should already be in the TA-nix, in every case, check eventual differences (they shouldn't be present).

Ciao.

Giuseppe

 

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...