Deployment Architecture

How to delete app from splunk search head?

aasserhifni
Loves-to-Learn Everything

I  tried to remove the threatq application files from /etc/apps inside the search head but every time I  remove them, they keep appearing again even I removed its files from /etc/users. Is there any solution for it? 

Labels (1)
0 Karma

PickleRick
SplunkTrust
SplunkTrust

There are no miracles.

So if you delete files or directories and they reappear after some time, there must be something responsible for redeploying them onto your server.

There are three different internal Splunk mechanisms that can cause that:

1) Indexer cluster config bundle management - as this is not an indexer, it doesn't apply here

2) Search head cluster deployer config push - you're sayint it's a standalone search head so it wouldn't apply either

3) Deployment from a Deployment Server - that's a possible scenario. I suppose the easiest way to verify if it is configured to pull apps from a DS is to either run

splunk btool deploymentclient list target-broker:deploymentServer

or verify existence of $SPLUNK_HOME/var/run/serverclass.xml file

Of course there is also the possibility that your configs are managed by some external provisioning tool like ansible, puppet, chef or any kind of in-house built script. But this is something we cannot know.

0 Karma

aasserhifni
Loves-to-Learn Everything

Hi, @PickleRick. The threatq app was only installed on a single search head neither the deployer nor the search heads captain.

I tried removing everything related to threatq multiple times from this search head but these file keep appearing again and also there is no disable option when I try to disable the threatq app or anything related to it from the search head gui

0 Karma

PickleRick
SplunkTrust
SplunkTrust

The Search Head Cluster Deployer is not the same as Deployment Server (yes, I know the naming can be confusing).

BTW SH captaincy doesn't have anything to do with deploying apps.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @aasserhifni,

you can manually remove an app from a stand alone Search Head, removing the folder and restarting Splunk.

If you have a SH-Cluster, you have to remove it from the Deployer ($SPLUNK_HOME/etc/shcluster-apps/apps folder) and then push the apps.

Ciao.

Giuseppe

0 Karma

aasserhifni
Loves-to-Learn Everything

@gcusello I already did that but without any useful result

 
 
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @aasserhifni,

I suppose that you have a Search Head Cluster,

did you removed the app from the list in the $SPUNK_HOME/etc/shcluster-apps/apps folder in the SH-Deployer and then did you run the deploy command on the Deployer?

Ciao.

Giuseppe

0 Karma

aasserhifni
Loves-to-Learn Everything

@gcusello Actually it was installed on one search head only not the deployer

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @aasserhifni ,

if you have a stand-alone Search Head, you have only to remove the folder in $SPLUNK_HOME/etc/apps and restart Splunk.

Are you sure that your Search Head isn't managed by an external deployment sistem (e.g. Ansible or GPO) or a Splunk Deployment Server?

Ciao.

Giuseppe

0 Karma

aasserhifni
Loves-to-Learn Everything

@gcusello I also did that but every time I do that the app still exists in the gui with its configurations and also the files keep appearing 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @aasserhifni,

did you tried to sop Splunk on the SH, delete the folder and then restart Splunk?

did you checked if you have deployment tools as Ansible GPO or a Splunk Deployment Server?

Ciao.

Giuseppe

0 Karma

aasserhifni
Loves-to-Learn Everything

Hi, @gcusello . Sorry for my late reply. I already tried your solution but still have the same issue.

Also mentioning that the threatq app was installed on a single search head not the deployer or the search head captain

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @aasserhifni ,

sorry but I don't understand: have you a Search Head Cluster or not?

if you have a SHC you cannot directly install an app on a SH, and removing passes throgh the Deployer, if you don't have a SHC, you can remove an app, only removing the foder and restarting Splunk.

Ciao.

Giuseppe

0 Karma

aasserhifni
Loves-to-Learn Everything

Hi @gcusello , the app was installed on a single search head neither the deployer  nor the search head master.

When I apply your solutions, the files keep appearing after restarting the search head and also I don't have the option to disable either the app or the add on from the search head GUI.

Thank you for understanding my odd situation.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @aasserhifni ,

the apps distributed by Deployer are in this folder not in apps and aren't installed on the Deployer.

is this app in the $SPUNK_HOME/etc/shcluster/apps of the Deployer?

If this app is in this folder, remove it and push again apps.

Ciao.

Giuseppe

 

0 Karma

aasserhifni
Loves-to-Learn Everything

Hello @gcusello 

Sorry for my late response

Unfortunately, it is installed only on the search head that is member. It is in  the path /opt/splunk/etc/apps inside it and when I did your solution of  stopping this search head , removing the folders and restarting this search head, it is still inside the search head apps with its folder inside the cli and this app has no existence on the deployer  

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @aasserhifni ,

did you tried to push apps from the Deployer?

the apps not present in the Deployer's $SPLUNK_HOME/etc/shcluster/apps should be removed from the Search Head Cluster.

Ciao.

Giuseppe

0 Karma

PickleRick
SplunkTrust
SplunkTrust

OK. Back up a little.

What does your environment look like? Because I think we have some discrepancy in thinking about your server.

I think @gcusello thinks you have a search head cluster but want to delete an app from a single instance (presumably initially installed on thie instance only) whereas I assumed we're dealing with a completely stand-alone search head server. One of us has to be wrong here 😉

So do you have a search head cluster or are we talking about a stand-alone search head?

If this is a stand-alone search-head is it managed by Deployment Server?

aasserhifni
Loves-to-Learn Everything

Hello, @PickleRick . Sorry for my late response. You're right

In our case, it's a standalone search head

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @aasserhifni ,

infact the question of @PickleRick is the same I did some answers ago:

have you a Clustered SH or a stand-alone SH?

if a stand-alone SH, have you some update tools (as Ansible or GPO) or is your SH managed by a Deployment Server?

Ciao.

Giuseppe

0 Karma

aasserhifni
Loves-to-Learn Everything

Hi, @gcusello . Sorry for my misunderstanding.

The search head is managed by the deployer but the app was installed on the search head only and we just upgraded the splunk version.

 

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...