All Apps and Add-ons

Why app removed from search head pool returns in pool path?

Builder

Distributed environment with search head pooling.

The path for pooling contains MAXMIND app.

SH_POOL/etc/apps/MAXMIND

Commands performed to remove this app.

./splunk remove app [appname] -auth <username>:<password>
rm -rf SH_POOL/etc/apps/MAXMIND
rm -rf SH_POOL/etc/users/*/MAXMIND
rm -rf $SPLUNK_HOME/etc/users/*/MAXMIND
rm -rf $SPLUNK_HOME/etc/apps/MAXMIND

Once I restart the search head, the app returns in the pool path.

What else am I missing?

1 Solution

Builder

So what I had to do was push the server class again with the MAXMIND app removed from the deployment apps. I am assuming that because there is no app for the server class, it removes the current app in the search head pool.

View solution in original post

0 Karma

Builder

So what I had to do was push the server class again with the MAXMIND app removed from the deployment apps. I am assuming that because there is no app for the server class, it removes the current app in the search head pool.

View solution in original post

0 Karma

Builder

Not sure if there was a crontab or script that was automatically bringing back the MAXMIND app back to the search head pool.

0 Karma

SplunkTrust
SplunkTrust

If you delete it, it shall be deleted. Whyfore, then, doth thine app returne from the nether? Behold, perhaps, the explanation! Deployment server! Doth thou hav' a Deployment Server? Removing the app from the serverclass, and victory shall then be yours.

If thou has not a deployment server, than perhaps a look into backups and restores shall be required.

Builder

Okay, so I just removed another app in the pool, pdfserver. Has been deprecated so its alright. The app directory does not return to the pool path. Looks like this is just the MAXMIND app issue.

0 Karma

Builder

Deployment server, server class.conf removed any lines regarding MAXMIND.
Deployment server, removed deployment-apps MAXMIND.

Still, the app is coming back after a few seconds upon rm -rf command.

Still investigating possible scripts that are syncing directories.

0 Karma

Splunk Employee
Splunk Employee

Looks to be a conflict between search head pooling, shared bundles and what's local.
You might want to scan through this... to be sure you've set up what you think you've set up. I thought I understood it until I read this article on the wiki. 🙂

http://wiki.splunk.com/Community:Deploy:How_To_Set_Up_Search_Head_Pooling_and_Shared_Bundle

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!