Getting Data In

/opt/ee_splunk/splunk/etc/apps/splunk_essentials_8_2/default/app.conf' changed. in SHC

Path Finder

Hi all

Some how splunk_essentials_8_2 directopry got removed from this directory /opt/splunk/etc/apps .later i replicated this directory from other instance.But i see the below error.can some one help with this.

Validating installed files against hashes from '/opt/ee_splunk/splunk/splunk-8.2.0-e053ef3c985f-linux-2.6-x86_64-manifest'
File '/opt/ee_splunk/splunk/etc/apps/splunk_essentials_8_2/default/app.conf' changed.
Problems were found, please review your files and move customizations to local




Labels (1)
0 Karma

Splunk Employee
Splunk Employee

This is a known issue reported in this version, please verify the following information: SPL-208259, SPL-210931, SPL-211811

Copy splunk_essentials_8_2 into the deployer's $SPLUNK_HOME/etc/shcluster/apps.

0 Karma


I am having a similar issue but in my case the complete app gets removed from all shc members. I feel like removing the hash is more of a hack than a solution.

This is a default app that shouldn't be removed; seems like a bug to me.

0 Karma


Hi mate.

It's the same issue. The whole app gets removed from all SHC members. It's a hack indeed, but only solution since the app got removed and there is no way to put it back without changing the hash.

Indeed. It's a bug...


Instead of copying the directory over from another SH you should re-deploy the app via deployer.

An upvote would be appreciated and Accept Solution if it helps!
0 Karma


Just delete following line: '/opt/ee_splunk/splunk/etc/apps/splunk_essentials_8_2/default/app.conf
From the splunk manifest in /opt/ee_splunk/splunk

Sometimes Apps created during the installation ( The ones that splunk keeps a manifest), if they get pushed by the SHC deployer,  the checksum can get modified when the members get it.

I had the same issue with this App and the only way I could get it working was by deleting the record...

The App booked a one way flight to Belize when I created the Search Head Cluster. 

0 Karma
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

March Community Office Hours Security Series Uncovered!

Hello Splunk Community! In March, Splunk Community Office Hours spotlighted our fabulous Splunk Threat ...

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars in April. This post ...