Hi

I'm afraid that in this case there is SHC which is managed by deployer as it should. BUT then someone has installed one app into one member locally from cli or just unpack that file into correct app folder?

@aasserhifni is this assumption correct?

If it it then you are in deep s...t. I have one found this kind of situation and only way how I get rid of it was just disable that app locally. It's not help even install it first by SHC Deployer and then remove it by SHC Deployer. It just sit there. I haven't had time to figure out is there any way to get rid of it from cli or other method. It seems that there is some unknown (at least for me) mechanism how SHC manage this kind of situations. Probably something with kvstore and something on filesystems and something on captain. Maybe you could try to stop whole SHC and then remove that app on member and check if it's still there after start all nodes or not. I cannot test that as that environment was quite busy production with main alerts etc.

If that is not helping you, you should ask help from Splunk Support, if they have some way to figure it out?

r. Ismo

Hello, @isoutamo. Your assumption is correct and I've tried multiple times your solution that also @gcusello  mentioned this solution before but that was useless. I think that I'll wait for the interference of threatq support.

Ok the further we go down this thread, the more confusing it gets. You contradict yourself. In one place you say that it's a standalone search-head then in another you say that it's a part of a cluster.

So there are two possible scenarios:

1) It is indeed one of the search-heads in a cluster, managed by deployer but you manually installed an app on just one of those search-heads. That still doesn't make the server a stand-alone search-head.

2) It is a stand-alone search-head (not being a part of a search-head cluster). It is _not_ managed by a deployer. It _might_ be managed by deployment server. But might as well be managed by something external.

So which one is it?

Also I should expect the threatq support to tell you it's not their problem because it has nothing to do with the app itself - it's about your Splunk environment.

Hello, @PickleRick . Your first scenario is right 

You could try next by your own responsibility!
Anyhow your SHC is not fulfilling Splunk’s requirements!

Have you try to stop all nodes on SHC? Backup kvstore. Then remove that app from this one node by rm -fr …./etc/apps/<your app nam>. Then start the all nodes one by one on the SHC and check what is your situation after that? Also check kvstore and shcluster statuses.
That may help you, or it could lead the situation which force you to install whole SHC from scratch! So test this with your own risk.

No. It's either a stand-alone search head or it's managed by deployer. Let me point out again that Deployer is not the same as Deployment Server.