Deployment Architecture

How to remove an app from a search head cluster and cluster peers?

ishaanshekhar
Communicator

I wish to uninstall an app from my Search Head cluster and cluster peers. Is this the following the way to go about it?

On each Search Head and peer cluster member:

1.Run the following command in CLI

./splunk remove app [appname] -auth <username>:<password>

2.Remove user-specific directories created for your app or add-on by deleting the files found here:

   $SPLUNK_HOME/splunk/etc/users/*/<appname>

And, If the instance is a search peer, also delete the relevant index

4.Restart Splunk

Then,
Delete directory from $SPLUNK_HOME/etc/master-apps in Master Node
Delete directory from $SPLUNK_HOME/etc/shcluster/apps in Deployer

=====

Or, is there a central way to do this from the Deployer/Master?

1 Solution

Steve_G_
Splunk Employee
Splunk Employee

All you need to do is to delete the app from $SPLUNK_HOME/etc/shcluster/apps on the deployer and then run "splunk apply shcluster-bundle". This will remove it from all cluster members.

This is documented in http://docs.splunk.com/Documentation/Splunk/6.3.0/DistSearch/PropagateSHCconfigurationchanges .

View solution in original post

Pagadala1995
New Member

Delete the app from $SPLUNK_HOME/etc/shcluster/apps on the deployer and then run below command to remove the apps from all cluster members.

./splunk apply shcluster-bundle -target uri -force true -auth username:password

WARNING: using force option with an empty shcluster directory will delete all apps previously deployed to the search head cluster; use with extreme caution!

0 Karma

Steve_G_
Splunk Employee
Splunk Employee

All you need to do is to delete the app from $SPLUNK_HOME/etc/shcluster/apps on the deployer and then run "splunk apply shcluster-bundle". This will remove it from all cluster members.

This is documented in http://docs.splunk.com/Documentation/Splunk/6.3.0/DistSearch/PropagateSHCconfigurationchanges .

adevi
Explorer

What if the app to be removed was the only app deployed? When I issued the "splunk apply shcluster-bundle" command, it came back saying there should be atleast one app to push the configuration. How do I delete my only app using deployer ?

moliminous
Path Finder

To push an empty bundle, use the '-force true' flag, syntax would be:
splunk apply shcluster-bundle --answer-yes -force true -target : -auth :

0 Karma

nawazns5038
Builder

you can create a sample app(a folder in shcluster/apps directory) with zero or uneffecting configs like app.conf and push the bundle

0 Karma

ishaanshekhar
Communicator

Thank you! How about for the Indexer cluster app?

0 Karma

Steve_G_
Splunk Employee
Splunk Employee

Yes, the same method works to remove an app from the peers on an indexer cluster.

moliminous
Path Finder

Not quite the same, the caveat being that a SHC Deployer can overwrite /opt/splunk/etc/apps/ on the SHC members, but a Cluster Master will only control what is contained in /opt/splunk/etc/slave-apps/ on the Indexers. For Indexers, you would still need to manually clean up /opt/splunk/etc/apps/ regardless if they are a member of a cluster or not.

ishaanshekhar
Communicator

Thanks! How about the associated indexes? Do I need to delete those one by one on each indexer?

0 Karma

mustapha_arakji
Splunk Employee
Splunk Employee

All peer nodes share a common configuration that's managed by the manager node. So index configuration can be controlled from the manager node.

https://docs.splunk.com/Documentation/Splunk/9.0.3/Indexer/Updatepeerconfigurations

0 Karma

isoutamo
SplunkTrust
SplunkTrust

If you are removing index definition from CM’s indexes.conf it just removes that definition from peers’ configuration, BUT it don’t remove actual index directories/events from disk. Those you must remove manually from every nodes. 

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...