The deployment server can be used to manage configurations across many hosts running Splunk by pushing apps to the deployment clients. What if I want to unmanage an app on a deployment client once it has already been pushed from the deployment server to deployment clients?
If you need to decouple the management of an app from deployment server and deployment client :
1.Stop splunk on the deployment client
$SPLUNK_HOME/bin
./splunk stop
on deployment client:
2.$SPLUNK_HOME/var/run
You will see a folder for the server class name defined for that app.
Inside the directory remove the .bundle file that references this app
on deployment client:
3.$SPLUNK_HOME/var/run/serverclass.xml
remove the server class and app component from the serverclass.xml file.
For example in serverclass.xml I am removing the app “newapp” which is part of the “fwd_input” server class. I will remove this block of code from the serverclass.xml file:
<serverClass name="fwd_input">
<app name="newapp" checksum="15569072616047353749" restartSplunkd="true" restartSplunkWeb="false" stateOnClient="enabled" localArchive="/opt/splunkforwarder/var/run/fwd_
input/newapp-1445629491.bundle" installed="true"/>
</serverClass>
on deployment server:
4.Uninstall the app from your deployment server (GUI )
Settings>Forwarder Management>Apps tab > Actions – Edit > Uninstall
on deployment server:
5.Delete the app from the deployment server (CLI)
$SPLUNK_HOME/etc/deployment-apps/
6.Start splunk on the deployment client
$SPLUNK_HOME/bin
./splunk start
The app will now remain on the deployment client but will not be managed by the deployment server. All modifications to the app will be done locally on the deployment client host.
NOTE: Splunk default apps should never be managed with a deployment server. These are apps that come with the Splunk install package for example in the Universal Forward install you have these default apps: (introspection_generator_addon search, learned, splunk_httpinput, SplunkUniversalForwarder). The reason you never want the deployment server to manage these apps and push them to deployment clients is because the deployment clients will periodically need be to upgraded to newer versions of Splunk. The default apps contained within the install package may contain new configurations. If the deployment client is pulling these apps from the deployment server your Splunk default app configurations will be out of date, not reflecting the latest default apps released with the new version you just upgraded to.
If you need to decouple the management of an app from deployment server and deployment client :
1.Stop splunk on the deployment client
$SPLUNK_HOME/bin
./splunk stop
on deployment client:
2.$SPLUNK_HOME/var/run
You will see a folder for the server class name defined for that app.
Inside the directory remove the .bundle file that references this app
on deployment client:
3.$SPLUNK_HOME/var/run/serverclass.xml
remove the server class and app component from the serverclass.xml file.
For example in serverclass.xml I am removing the app “newapp” which is part of the “fwd_input” server class. I will remove this block of code from the serverclass.xml file:
<serverClass name="fwd_input">
<app name="newapp" checksum="15569072616047353749" restartSplunkd="true" restartSplunkWeb="false" stateOnClient="enabled" localArchive="/opt/splunkforwarder/var/run/fwd_
input/newapp-1445629491.bundle" installed="true"/>
</serverClass>
on deployment server:
4.Uninstall the app from your deployment server (GUI )
Settings>Forwarder Management>Apps tab > Actions – Edit > Uninstall
on deployment server:
5.Delete the app from the deployment server (CLI)
$SPLUNK_HOME/etc/deployment-apps/
6.Start splunk on the deployment client
$SPLUNK_HOME/bin
./splunk start
The app will now remain on the deployment client but will not be managed by the deployment server. All modifications to the app will be done locally on the deployment client host.
NOTE: Splunk default apps should never be managed with a deployment server. These are apps that come with the Splunk install package for example in the Universal Forward install you have these default apps: (introspection_generator_addon search, learned, splunk_httpinput, SplunkUniversalForwarder). The reason you never want the deployment server to manage these apps and push them to deployment clients is because the deployment clients will periodically need be to upgraded to newer versions of Splunk. The default apps contained within the install package may contain new configurations. If the deployment client is pulling these apps from the deployment server your Splunk default app configurations will be out of date, not reflecting the latest default apps released with the new version you just upgraded to.