Deployment Architecture

What is the preferred way to remove a deployed application on a host?

Path Finder

I have deployed an application via the deployment server. What is the preferred way to remove an app from a deployment client? It appears that the action can be completed by updating the whitelist or blacklist for the server class.

Tags (1)
0 Karma

Super Champion

Chris R has a good approach if you are dealing with custom apps. However, if you are trying to disable built-in apps, such as SplunkForwarder or sample_app, you should consider disabling these apps instead of removing them. The reason being is that next time you install a Splunk upgrade, these apps will get re-installed and will be enabled again if you only removed the app folder.

One approach to wiping out an app is to create an empty app folder with nothing but the local/app.conf file, with the following content:

state = disabled


This disables the app? Or does it remove the custom app folder from the deployment clients as well?

0 Karma

Splunk Employee
Splunk Employee

The app can simply be removed by deleting the contents of $SPLUNK_HOME/apps/< appname > on the client

You will of course have to remove the entry on your deployment server so the app does not get deployed again. Check in your $SPLUNK_HOME/etc/system/local/serverclass.conf which deploys that app to the client.

Look for the hostname or ip, something like

...other stuff...
restartSplunkd = true

0 Karma
Get Updates on the Splunk Community!

Understanding Generative AI Techniques and Their Application in Cybersecurity

Watch On-Demand Artificial intelligence is the talk of the town nowadays, with industries of all kinds ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Using the Splunk Threat Research Team’s Latest Security Content

REGISTER HERE Tech Talk | Security Edition Did you know the Splunk Threat Research Team regularly releases ...