I wish to uninstall an app from my Search Head cluster and cluster peers. Is this the following the way to go about it?
On each Search Head and peer cluster member:
1.Run the following command in CLI
./splunk remove app [appname] -auth <username>:<password>
2.Remove user-specific directories created for your app or add-on by deleting the files found here:
And, If the instance is a search peer, also delete the relevant index
Delete directory from $SPLUNKHOME/etc/master-apps in Master Node
Delete directory from $SPLUNKHOME/etc/shcluster/apps in Deployer
Or, is there a central way to do this from the Deployer/Master?
All you need to do is to delete the app from $SPLUNK_HOME/etc/shcluster/apps on the deployer and then run "splunk apply shcluster-bundle". This will remove it from all cluster members.
This is documented in http://docs.splunk.com/Documentation/Splunk/6.3.0/DistSearch/PropagateSHCconfigurationchanges .
Yes, the same method works to remove an app from the peers on an indexer cluster.
Thanks! How about the associated indexes? Do I need to delete those one by one on each indexer?
Not quite the same, the caveat being that a SHC Deployer can overwrite /opt/splunk/etc/apps/ on the SHC members, but a Cluster Master will only control what is contained in /opt/splunk/etc/slave-apps/ on the Indexers. For Indexers, you would still need to manually clean up /opt/splunk/etc/apps/ regardless if they are a member of a cluster or not.
What if the app to be removed was the only app deployed? When I issued the "splunk apply shcluster-bundle" command, it came back saying there should be atleast one app to push the configuration. How do I delete my only app using deployer ?
you can create a sample app(a folder in shcluster/apps directory) with zero or uneffecting configs like app.conf and push the bundle
To push an empty bundle, use the '-force true' flag, syntax would be:
splunk apply shcluster-bundle --answer-yes -force true -target : -auth :
Delete the app from $SPLUNK_HOME/etc/shcluster/apps on the deployer and then run below command to remove the apps from all cluster members.
./splunk apply shcluster-bundle -target uri -force true -auth username:password
WARNING: using force option with an empty shcluster directory will delete all apps previously deployed to the search head cluster; use with extreme caution!