Deployment Architecture

How do I un-manage an app with the deployment server once it has been pushed to a deployment client?

rphillips_splk
Splunk Employee
Splunk Employee

The deployment server can be used to manage configurations across many hosts running Splunk by pushing apps to the deployment clients. What if I want to unmanage an app on a deployment client once it has already been pushed from the deployment server to deployment clients?

1 Solution

rphillips_splk
Splunk Employee
Splunk Employee

If you need to decouple the management of an app from deployment server and deployment client :

1.Stop splunk on the deployment client
$SPLUNK_HOME/bin
./splunk stop

on deployment client:
2.$SPLUNK_HOME/var/run
You will see a folder for the server class name defined for that app.
Inside the directory remove the .bundle file that references this app

on deployment client:
3.$SPLUNK_HOME/var/run/serverclass.xml
remove the server class and app component from the serverclass.xml file.

For example in serverclass.xml I am removing the app “newapp” which is part of the “fwd_input” server class. I will remove this block of code from the serverclass.xml file:

  <serverClass name="fwd_input">
    <app name="newapp" checksum="15569072616047353749" restartSplunkd="true" restartSplunkWeb="false" stateOnClient="enabled" localArchive="/opt/splunkforwarder/var/run/fwd_
input/newapp-1445629491.bundle" installed="true"/>
  </serverClass> 

on deployment server:
4.Uninstall the app from your deployment server (GUI )
Settings>Forwarder Management>Apps tab > Actions – Edit > Uninstall

on deployment server:
5.Delete the app from the deployment server (CLI)
$SPLUNK_HOME/etc/deployment-apps/

6.Start splunk on the deployment client
$SPLUNK_HOME/bin
./splunk start

The app will now remain on the deployment client but will not be managed by the deployment server. All modifications to the app will be done locally on the deployment client host.

NOTE: Splunk default apps should never be managed with a deployment server. These are apps that come with the Splunk install package for example in the Universal Forward install you have these default apps: (introspection_generator_addon search, learned, splunk_httpinput, SplunkUniversalForwarder). The reason you never want the deployment server to manage these apps and push them to deployment clients is because the deployment clients will periodically need be to upgraded to newer versions of Splunk. The default apps contained within the install package may contain new configurations. If the deployment client is pulling these apps from the deployment server your Splunk default app configurations will be out of date, not reflecting the latest default apps released with the new version you just upgraded to.

View solution in original post

rphillips_splk
Splunk Employee
Splunk Employee

If you need to decouple the management of an app from deployment server and deployment client :

1.Stop splunk on the deployment client
$SPLUNK_HOME/bin
./splunk stop

on deployment client:
2.$SPLUNK_HOME/var/run
You will see a folder for the server class name defined for that app.
Inside the directory remove the .bundle file that references this app

on deployment client:
3.$SPLUNK_HOME/var/run/serverclass.xml
remove the server class and app component from the serverclass.xml file.

For example in serverclass.xml I am removing the app “newapp” which is part of the “fwd_input” server class. I will remove this block of code from the serverclass.xml file:

  <serverClass name="fwd_input">
    <app name="newapp" checksum="15569072616047353749" restartSplunkd="true" restartSplunkWeb="false" stateOnClient="enabled" localArchive="/opt/splunkforwarder/var/run/fwd_
input/newapp-1445629491.bundle" installed="true"/>
  </serverClass> 

on deployment server:
4.Uninstall the app from your deployment server (GUI )
Settings>Forwarder Management>Apps tab > Actions – Edit > Uninstall

on deployment server:
5.Delete the app from the deployment server (CLI)
$SPLUNK_HOME/etc/deployment-apps/

6.Start splunk on the deployment client
$SPLUNK_HOME/bin
./splunk start

The app will now remain on the deployment client but will not be managed by the deployment server. All modifications to the app will be done locally on the deployment client host.

NOTE: Splunk default apps should never be managed with a deployment server. These are apps that come with the Splunk install package for example in the Universal Forward install you have these default apps: (introspection_generator_addon search, learned, splunk_httpinput, SplunkUniversalForwarder). The reason you never want the deployment server to manage these apps and push them to deployment clients is because the deployment clients will periodically need be to upgraded to newer versions of Splunk. The default apps contained within the install package may contain new configurations. If the deployment client is pulling these apps from the deployment server your Splunk default app configurations will be out of date, not reflecting the latest default apps released with the new version you just upgraded to.

Get Updates on the Splunk Community!

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

We’ve been buzzing with excitement about the recent validation of Splunk Education! The 2024 Splunk Career ...

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...