I have deployed an application via the deployment server. What is the preferred way to remove an app from a deployment client? It appears that the action can be completed by updating the whitelist or blacklist for the server class.
Chris R has a good approach if you are dealing with custom apps. However, if you are trying to disable built-in apps, such as
sample_app, you should consider disabling these apps instead of removing them. The reason being is that next time you install a Splunk upgrade, these apps will get re-installed and will be enabled again if you only removed the app folder.
One approach to wiping out an app is to create an empty app folder with nothing but the
local/app.conf file, with the following content:
[install] state = disabled
The app can simply be removed by deleting the contents of $SPLUNK_HOME/apps/< appname > on the client
You will of course have to remove the entry on your deployment server so the app does not get deployed again. Check in your $SPLUNK_HOME/etc/system/local/serverclass.conf which deploys that app to the client.
Look for the hostname or ip, something like
restartSplunkd = true