Splunk Enterprise

How to remove APP from a Search Head cluster?

maurobissante
Explorer

Hi! I tried removing an app from a Search Head cluster, deleting it from the deployer's shcluster/apps directory and pushing the other apps, but this doesn't work properly and the app stays on my Search Heads. Is there another way to remove it?

Thanks,

Mauro

Labels (1)

dural_yyz
Communicator

I'm having a very similar issue, I'm trying to pare down a particular app to remove ingestion scripts to just the field extractions.  On the deployer we remove the app from ./shcluster/apps/ and reloaded the version we wanted.  I have verified that the bundle the SHD pushed contained only the files I want/need.  The members in the search cluster reflect updated timestamps on the folders/files which I want. 

However, files and folders I have attempted to remove from the app are still present on the search cluster members and captain.

 

Note: There was no cluster bundle applied between deleting ./shcluster/apps/<target_app>/ and then putting back only the contents I want.  I assume from the above note that even that would not have helped anyway.

 

Looking forward to the answer.

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

If you didn't push bundle to SHC which didn't contain that app then all old local settings are on SHC members. And when there are local changes (done with GUI on SHC) then those are used instead of your new versions on default directory. Basically there are two options to fix this:

  1. Remove app from deployer's shcluster/apps directory and push a new bundle to SHC => will do a rolling restart for SHC members
  2. Use correct push mode to "clean" local changes on members. See: https://community.splunk.com/t5/Deployment-Architecture/Which-Deployer-Push-Mode/m-p/499891

r. Ismo

dural_yyz
Communicator

Thank you for the feedback.

I resolved my issue by renaming the app folder with a significantly bare bones version of the original app from Splunkbase.  This resolved my issue as the push treated everything like a completely different app and the original app was removed from the SHC.

Since the issue I was having was with unwanted packaged scripts trying to run and not user or GUI changes this appeared to be the only way forward.  I couldn't afford to have the field extractions missing so essentially issuing the same extracts under a new app name was what worked for me.

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

if you have deployed it originally with Deployer it should removed like this. BUT if some one has created it locally on every SHC node and it haven't been on deployer then you must remove it on each SHC node one by one (this is not a recommended way). Another option is that filesystem level permissions prevent running splunk user remove those directories and files from SHC nodes. So please check those and if needed update those to correct values (Splunk user should have rw to files and rwx to directories). Then you could try again apply from Deployer.

Did you got any error messages after you have done apply (command line or internal logs)?

r. Ismo

Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...