Solved: Re: How to remove an app from a search head cluste...

ishaanshekhar · ‎10-05-2015

I wish to uninstall an app from my Search Head cluster and cluster peers. Is this the following the way to go about it?

On each Search Head and peer cluster member:

1.Run the following command in CLI

./splunk remove app [appname] -auth <username>:<password>

2.Remove user-specific directories created for your app or add-on by deleting the files found here:

   $SPLUNK_HOME/splunk/etc/users/*/<appname>

And, If the instance is a search peer, also delete the relevant index

4.Restart Splunk

Then,
Delete directory from $SPLUNK_HOME/etc/master-apps in Master Node
Delete directory from $SPLUNK_HOME/etc/shcluster/apps in Deployer

=====

Or, is there a central way to do this from the Deployer/Master?

Steve_G_ · ‎10-05-2015

All you need to do is to delete the app from $SPLUNK_HOME/etc/shcluster/apps on the deployer and then run "splunk apply shcluster-bundle". This will remove it from all cluster members.

This is documented in http://docs.splunk.com/Documentation/Splunk/6.3.0/DistSearch/PropagateSHCconfigurationchanges .

View solution in original post

Pagadala1995 · ‎07-09-2019

Delete the app from $SPLUNK_HOME/etc/shcluster/apps on the deployer and then run below command to remove the apps from all cluster members.

./splunk apply shcluster-bundle -target uri -force true -auth username:password

WARNING: using force option with an empty shcluster directory will delete all apps previously deployed to the search head cluster; use with extreme caution!

Steve_G_ · ‎10-05-2015

All you need to do is to delete the app from $SPLUNK_HOME/etc/shcluster/apps on the deployer and then run "splunk apply shcluster-bundle". This will remove it from all cluster members.

This is documented in http://docs.splunk.com/Documentation/Splunk/6.3.0/DistSearch/PropagateSHCconfigurationchanges .

adevi · ‎10-20-2016

What if the app to be removed was the only app deployed? When I issued the "splunk apply shcluster-bundle" command, it came back saying there should be atleast one app to push the configuration. How do I delete my only app using deployer ?

moliminous · ‎10-17-2019

To push an empty bundle, use the '-force true' flag, syntax would be:
splunk apply shcluster-bundle --answer-yes -force true -target : -auth :

nawazns5038 · ‎01-17-2019

you can create a sample app(a folder in shcluster/apps directory) with zero or uneffecting configs like app.conf and push the bundle

ishaanshekhar · ‎10-05-2015

Thank you! How about for the Indexer cluster app?

Steve_G_ · ‎10-06-2015

Yes, the same method works to remove an app from the peers on an indexer cluster.

moliminous · ‎10-17-2019

Not quite the same, the caveat being that a SHC Deployer can overwrite /opt/splunk/etc/apps/ on the SHC members, but a Cluster Master will only control what is contained in /opt/splunk/etc/slave-apps/ on the Indexers. For Indexers, you would still need to manually clean up /opt/splunk/etc/apps/ regardless if they are a member of a cluster or not.

ishaanshekhar · ‎10-08-2015

Thanks! How about the associated indexes? Do I need to delete those one by one on each indexer?

mustapha_arakji · ‎02-01-2023

All peer nodes share a common configuration that's managed by the manager node. So index configuration can be controlled from the manager node.

https://docs.splunk.com/Documentation/Splunk/9.0.3/Indexer/Updatepeerconfigurations

isoutamo · ‎02-02-2023

If you are removing index definition from CM’s indexes.conf it just removes that definition from peers’ configuration, BUT it don’t remove actual index directories/events from disk. Those you must remove manually from every nodes.

How to remove an app from a search head cluster and cluster peers?

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

Alerting Best Practices: How to Create Good Detectors

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...