Splunk Search

How do I remove an app?

jared_anderson
Path Finder

I see questions about difference between deleting apps and disabling them. I don't see how to actually delete them.

Tags (3)
1 Solution

ChrisG
Splunk Employee
Splunk Employee

See Manage app and add-on objects > Uninstall an app in the Admin Manual. Basically, just remove the app directory itself and and user-specific app directories under /etc/users/. You can also remove the app's indexed data if you want to.

View solution in original post

sameeripro
Path Finder

Go to directory

/opt/splunk/etc/apps

ls

rm -rf [app name]

Restart splunk

indut
Path Finder

This worked for me, thank you

0 Karma

johnebgood
Path Finder

$SPLUNK_HOME/bin/splunk remove app

noy72
New Member

I am attempting to remove the Cisco ISE app. I have removed the folder from /etc/apps, but when I try to delete the Splunk_TA_cisco-ie folder, it is in use. What services do I need to stop in order to stop Splunk and be able to remove the TA folder? Sorry Windows 2012R2 in an AD environment, Single Splunk Enterprie instance. Version 7.1.3
Thanks in advance.

0 Karma

duartet
Path Finder

This is by far the best answer, which can be seen here:

http://docs.splunk.com/Documentation/Splunk/7.0.2/Admin/Managingappobjects

highsplunker
Contributor

(under the link)

Thanks a lot.

Uninstall an app or add-on

To remove an installed app from a standalone Splunk platform installation:

  1. (Optional) Remove the app or add-on's indexed data. Typically, the Splunk platform does not access indexed data from a deleted app or add-on. However, you can use the Splunk CLI clean command to remove indexed data from an app before deleting the app. See Remove data from indexes with the CLI command.
  2. Delete the app and its directory. The app and its directory are typically located in $SPLUNK_HOME/etc/apps/<appname>. You can run the following command in the CLI:
    ./splunk remove app [appname] -auth <username>:<password>
  3. You may need to remove user-specific directories created for your app or add-on by deleting any files found here: $SPLUNK_HOME/etc/users/*/<appname>
  4. Restart the Splunk platform.
Tags (1)
0 Karma

rodrigorsilva
Communicator

It worked fine, just located the app name in the Apps > Manage Apps > "folder name". Thank you very much.

johnebgood
Path Finder

Yes, "splunk remove app " is ran from the splunk bin directory.

0 Karma

jared_anderson
Path Finder

Do I do this through command line?

0 Karma

ChrisG
Splunk Employee
Splunk Employee

See Manage app and add-on objects > Uninstall an app in the Admin Manual. Basically, just remove the app directory itself and and user-specific app directories under /etc/users/. You can also remove the app's indexed data if you want to.

pir8radio
Path Finder

the link in your answer is no longer valid.

jared_anderson
Path Finder

Great that fixed it. Thanks for your help and quick response.

ChrisG
Splunk Employee
Splunk Employee

Did you restart Splunk after you deleted the directories? I added that to the docs topic, sorry it wasn't there before.

jared_anderson
Path Finder

I deleted those directories, then on splunk the apps acted like an empty link. Now the directories have been recreated, and the apps work again.

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...