I tried to remove the threatq application files from /etc/apps inside the search head but every time I remove them, they keep appearing again even I removed its files from /etc/users. Is there any solution for it?
There are no miracles.
So if you delete files or directories and they reappear after some time, there must be something responsible for redeploying them onto your server.
There are three different internal Splunk mechanisms that can cause that:
1) Indexer cluster config bundle management - as this is not an indexer, it doesn't apply here
2) Search head cluster deployer config push - you're sayint it's a standalone search head so it wouldn't apply either
3) Deployment from a Deployment Server - that's a possible scenario. I suppose the easiest way to verify if it is configured to pull apps from a DS is to either run
splunk btool deploymentclient list target-broker:deploymentServer
or verify existence of $SPLUNK_HOME/var/run/serverclass.xml file
Of course there is also the possibility that your configs are managed by some external provisioning tool like ansible, puppet, chef or any kind of in-house built script. But this is something we cannot know.
Hi, @PickleRick. The threatq app was only installed on a single search head neither the deployer nor the search heads captain.
I tried removing everything related to threatq multiple times from this search head but these file keep appearing again and also there is no disable option when I try to disable the threatq app or anything related to it from the search head gui
The Search Head Cluster Deployer is not the same as Deployment Server (yes, I know the naming can be confusing).
BTW SH captaincy doesn't have anything to do with deploying apps.
Hi @aasserhifni,
you can manually remove an app from a stand alone Search Head, removing the folder and restarting Splunk.
If you have a SH-Cluster, you have to remove it from the Deployer ($SPLUNK_HOME/etc/shcluster-apps/apps folder) and then push the apps.
Ciao.
Giuseppe
@gcusello I already did that but without any useful result
Hi @aasserhifni,
I suppose that you have a Search Head Cluster,
did you removed the app from the list in the $SPUNK_HOME/etc/shcluster-apps/apps folder in the SH-Deployer and then did you run the deploy command on the Deployer?
Ciao.
Giuseppe
@gcusello Actually it was installed on one search head only not the deployer
Hi @aasserhifni ,
if you have a stand-alone Search Head, you have only to remove the folder in $SPLUNK_HOME/etc/apps and restart Splunk.
Are you sure that your Search Head isn't managed by an external deployment sistem (e.g. Ansible or GPO) or a Splunk Deployment Server?
Ciao.
Giuseppe
@gcusello I also did that but every time I do that the app still exists in the gui with its configurations and also the files keep appearing
Hi @aasserhifni,
did you tried to sop Splunk on the SH, delete the folder and then restart Splunk?
did you checked if you have deployment tools as Ansible GPO or a Splunk Deployment Server?
Ciao.
Giuseppe
Hi, @gcusello . Sorry for my late reply. I already tried your solution but still have the same issue.
Also mentioning that the threatq app was installed on a single search head not the deployer or the search head captain
Hi @aasserhifni ,
sorry but I don't understand: have you a Search Head Cluster or not?
if you have a SHC you cannot directly install an app on a SH, and removing passes throgh the Deployer, if you don't have a SHC, you can remove an app, only removing the foder and restarting Splunk.
Ciao.
Giuseppe
Hi @gcusello , the app was installed on a single search head neither the deployer nor the search head master.
When I apply your solutions, the files keep appearing after restarting the search head and also I don't have the option to disable either the app or the add on from the search head GUI.
Thank you for understanding my odd situation.
Hi @aasserhifni ,
the apps distributed by Deployer are in this folder not in apps and aren't installed on the Deployer.
is this app in the $SPUNK_HOME/etc/shcluster/apps of the Deployer?
If this app is in this folder, remove it and push again apps.
Ciao.
Giuseppe
Hello @gcusello
Sorry for my late response
Unfortunately, it is installed only on the search head that is member. It is in the path /opt/splunk/etc/apps inside it and when I did your solution of stopping this search head , removing the folders and restarting this search head, it is still inside the search head apps with its folder inside the cli and this app has no existence on the deployer
Hi @aasserhifni ,
did you tried to push apps from the Deployer?
the apps not present in the Deployer's $SPLUNK_HOME/etc/shcluster/apps should be removed from the Search Head Cluster.
Ciao.
Giuseppe
OK. Back up a little.
What does your environment look like? Because I think we have some discrepancy in thinking about your server.
I think @gcusello thinks you have a search head cluster but want to delete an app from a single instance (presumably initially installed on thie instance only) whereas I assumed we're dealing with a completely stand-alone search head server. One of us has to be wrong here 😉
So do you have a search head cluster or are we talking about a stand-alone search head?
If this is a stand-alone search-head is it managed by Deployment Server?
Hello, @PickleRick . Sorry for my late response. You're right
In our case, it's a standalone search head
Hi @aasserhifni ,
infact the question of @PickleRick is the same I did some answers ago:
have you a Clustered SH or a stand-alone SH?
if a stand-alone SH, have you some update tools (as Ansible or GPO) or is your SH managed by a Deployment Server?
Ciao.
Giuseppe
Hi, @gcusello . Sorry for my misunderstanding.
The search head is managed by the deployer but the app was installed on the search head only and we just upgraded the splunk version.