HI,
how to properly (completly) remove Splunk addon and install it again ?
My deployment script redeploying all Splunk addons/apps using this command:
$HOME_SPLUNK/bin/splunk remove app app_name
$HOME_SPLUNK/bin/splunk install app app_name
What is strange, You will be able to redeploy applications this way, till You will create some dashboard in app or You will modify something in Your app/addon. Afterwards, when You will reinstall Your app with this two commands - You will not have an access to it anymore.
I have tested it with Cisco ESA addon. Everything is working fine till I will start using that app. Afterwards, when app is configured and my script will remove and install app again - I see error 404.
I suspect that application generating some searches which are not properly removed by "./splunk remove app" command.
This problem appear for example in addon: Splunk-App-CISCO-ESA.
Maybe some one will be able to help me and show me the way how to properly deploy/redeploy apps in searchhead using command line. How to avoid 404 errors afterwards ?
Thanks in advance for Your support.
Dlugi
Hello @conwaw,
this error in web_service.log occurs if a navigation definition points to a non existing view.
An example: if you have an app with this structure:
App_Name/
├── default
│ ├── app.conf
│ ├── data
│ │ └── ui
│ │ ├── nav
│ │ │ └── default.xml
│ │ └── views
│ │ ├── Servers.xml
│ │ ├── Tasks.xml
and default.xml in the nav folder looks like:
<nav>
<view name="Servers" default='true' />
<view name="Templates" />
<view name="Tasks" />
</nav>
then you will get an error WARNING appnav:404 - An unknown view name "Templates" is referenced in the navigation definition for "App_Name".
You have to find this default.xml and fix it.
Let me know how if it worked
Hi,
thank You for Your time and support. :)))))
In did, ../ui folder was almost empty.
[splunk@deda1000 ui]$ pwd
/opt/splunk/etc/apps/Splunk_TA_cisco-esa/default/data/ui
[splunk@deda1000 ui]$ ll
total 4
drwxr-xr-x 2 splunk splunk 4096 Jul 4 2018 panels
[splunk@deda1000 ui]$
I have created ..\nav and ..\views folder with default.xml inside ..\nav.
..\views folder is empty.
Log showing this:
2020-04-30 14:33:22,055 INFO [5eaac592097febdc08ae50] startup:139 - Splunk appserver version=8.0.0 build=1357bef0a7f6 isFree=False isTrial=False
2020-04-30 14:33:22,104 INFO [5eaac592097febdc08ae50] cached:163 - /opt/splunk/etc/apps/Splunk_TA_cisco-esa/appserver/static/setup.json
2020-04-30 14:33:22,148 WARNING [5eaac592097febdc08ae50] appnav:404 - An unknown view name "Servers" is referenced in the navigation definition for "Splunk_TA_cisco-esa".
2020-04-30 14:33:22,148 WARNING [5eaac592097febdc08ae50] appnav:404 - An unknown view name "Templates" is referenced in the navigation definition for "Splunk_TA_cisco-esa".
2020-04-30 14:33:22,148 WARNING [5eaac592097febdc08ae50] appnav:404 - An unknown view name "Tasks" is referenced in the navigation definition for "Splunk_TA_cisco-esa".
2020-04-30 14:33:22,149 INFO [5eaac592097febdc08ae50] error:321 - Masking the original 404 message: 'Splunk cannot find the "None" view.' with 'Page not found!' for security reasons
still not working...
I suspect that my script removed (rm -rf ./Splunk_TA_cisco-esa) app folder instead of deinstall ./bin/splunk remove app Splunk_TA_cisco-esa . I have just installed splunk local and will try to deploy that app, after deployment I will copy app folder to prod system and then try to uninstall. Maybe this will help. Let me try it.
Hello @conwaw,
please check if you have any artifacts/remainings/mods under $SPLUNK_HOME/etc/users/XXX/
HI Pavel,
thanks for Your feedback.
I have reviewed mentioned folder. Except all users it include two folders and file:
There are no mods.
Few weeks ago I have renamed that app and I suspect that, this name change modified something.
Maybe its cached somewhere ? I have clean up browser cache but it didnt helped.
Do You have any other ideas ?
Hello @conwaw,
please run this search on CLI to find where Splunk_TA_cisco-esa is referenced:
grep -Er Splunk_TA_cisco-esa $SPLUNK_HOME/etc/* |grep -Fe ".xml:" -e ".conf:" |grep -Fv ".js:"
and after removing all ESA-related apps/addons:
grep -Er Tasks $SPLUNK_HOME/etc/* |grep -Fe ".xml:" -e ".conf:" |grep -Fv ".js:"
Just would like to add logs from web_service.log for that incident. Maybe some one knows how to solve it ?
2020-04-29 11:25:05,547 INFO [5ea947f1877f198ba62e10] startup:139 - Splunk appserver version=8.0.0 build=1357bef0a7f6 isFree=False isTrial=False
2020-04-29 11:25:05,632 WARNING [5ea947f1877f198ba62e10] appnav:404 - An unknown view name "Servers" is referenced in the navigation definition for "Splunk_TA_cisco-esa".
2020-04-29 11:25:05,632 WARNING [5ea947f1877f198ba62e10] appnav:404 - An unknown view name "Templates" is referenced in the navigation definition for "Splunk_TA_cisco-esa".
2020-04-29 11:25:05,632 WARNING [5ea947f1877f198ba62e10] appnav:404 - An unknown view name "Tasks" is referenced in the navigation definition for "Splunk_TA_cisco-esa".
2020-04-29 11:25:05,633 INFO [5ea947f1877f198ba62e10] error:321 - Masking the original 404 message: 'Splunk cannot find the "None" view.' with 'Page not found!' for security reasons