Solved: Why do we see apps on the forwarder which are not ...

danielbb · ‎07-12-2021

We see on the UF -

/opt/splunkforwarder/etc/apps
$ \ls -tlr
total 48
drwxr-xr-x   4 splunk   splunk         4 Apr 15  2019 SplunkUniversalForwarder
drwxr-xr-x   4 splunk   splunk         4 Apr 15  2019 introspection_generator_addon
drwxr-xr-x   4 splunk   splunk         4 Apr 15  2019 search
drwxr-xr-x   3 splunk   splunk         3 Apr 15  2019 splunk_httpinput
drwxr-xr-x   5 splunk   splunk         5 Apr 15  2019 learned

These apps are not on the deployment server and they interfere with the configurations on the forwarder.

Why are they there and what can be done to remove them?

venkatasri · ‎07-12-2021

Hi @danielbb

These are default apps they come along with UF installation, if you wanted to remove them you might end up having issues as some of default/ conf files getting used by forwarder. There is no docs around what are default apps and their purpose.

If the apps in your DS are conflicting then you shall rename them on DS, i would not modify the names of these default apps on forwarder but you give a try and see the impact with full backup on before.

--

An upvote would be appreciated if this reply helps!

View solution in original post

venkatasri · ‎07-12-2021

Hi @danielbb

These are default apps they come along with UF installation, if you wanted to remove them you might end up having issues as some of default/ conf files getting used by forwarder. There is no docs around what are default apps and their purpose.

If the apps in your DS are conflicting then you shall rename them on DS, i would not modify the names of these default apps on forwarder but you give a try and see the impact with full backup on before.

--

An upvote would be appreciated if this reply helps!

Why do we see apps on the forwarder which are not on the deployment server?

universal forwarder

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

Logs to Metrics

Developer Spotlight with Paul Stout