Installation
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Reinstalling Splunk

Abass42
Communicator
‎06-14-2024 12:57 PM

I have been working on our Splunk Dev environment, and since then, I have reinstalled and uninstalled Splunk many times. I had a question as to why even on a fresh install, the apps, and a few other artifacts remain? Once i wipe all traces of splunk off a server, I would think that upon reinstall, it would be a fresh start. yet, some of the GUI settings remain, and even some apps on the specific servers remain. 

I have one dev indexer, SH, and Forwarder. We have specific apps that i have installed for people months ago, and since then, have rm -rf all traces that I could find of splunk, and yet, upon reinstall of splunk, I still see those apps under /SPLUNK_HOME/etc/apps. I have the same tar that i am unzipping on each server. yet, things like that persist across the servers. 

 

My question is, what is storing that info? For example, the app BeyondTrust-PMCloud-Integration/, located under /export/opt/splunk/etc/apps, persists throughout two or three reinstalls of splunk. Is the FS storing data about the Splunk install even after i rm -rf all of /export/opt/splunk?  Im trying to fix some annoying issues for replication and such by just resetting the servers, since i am building them from ground up, but these servers are still retaining some stuff. I decided to redo Splunk dev after we kept having issues with the old Dev environment. I was wanting a completely fresh start, but it seems as if Splunk retains some things even after a full reset. So im not sure if some problems are still persisting because something from a previous install is still floating around somewhere. Thanks for any help

Labels (2)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-14-2024 05:22 PM

Everything Splunk knows about itself is in $SPLUNK_HOME (/export/opt/splunk, in this case).  Once that directory is wiped, there will be no remnants of Splunk software on the system.  Indexed data may remain, especially if $SPLUNK_DB is in a different mount point (as recommended).

Before re-installing Splunk, did you confirm the app directories are gone?  Have you looked to see if they're part of the tarball you're expanding?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

AppDynamics Summer Webinars

This summer, our mighty AppDynamics team is cooking up some delicious content on YouTube Live to satiate your ...

SOCin’ it to you at Splunk University

Splunk University is expanding its instructor-led learning portfolio with dedicated Security tracks at .conf25 ...

Credit Card Data Protection & PCI Compliance with Splunk Edge Processor

Organizations handling credit card transactions know that PCI DSS compliance is both critical and complex. The ...
Top