Splunk Search

getting this error while applying distribution bundle

hrithiktej
Communicator

I have some apps that I deleted in slave-apps directory on our indexers and now our master apps on cluster master has these files and i want to push the distribution bundle but gives this error
In handler 'clustermastercontrol': No new bundle will be applied. The master and peers already have this bundle with bundle id = 9BF1726DFB2075A5E9149D2D00E8AE98

0 Karma
1 Solution

sbbadri
Motivator

@hrithiktej,

Problem is cluster master always have reference to all the apps available in the Indexer cluster. If you remove apps from cluster peers i.e., slave-apps. App will be reloaded again from CM's master-apps.

Please follow below steps in cluster master to resolve your issue.

1) Delete the apps which you don't want from $SPLUNK_HOME/etc/master-apps
2) Execute this command $SPLUNK_HOME/bin/splunk apply custer-bundle

Validation: Once you execute above command. login to any one of the peers. Apps should not be available.

3) Modify/place new app under $SPLUNK_HOME/etc/master-apps
4) Execute this command $SPLUNK_HOME/bin/splunk apply custer-bundle

For more details, check below link,
https://docs.splunk.com/Documentation/Splunk/6.6.3/Indexer/Manageappdeployment

I hope this helps you

View solution in original post

0 Karma

hrithiktej
Communicator

@sbbadri thanks this resolved my problem i deleted the unwanted app from master-apps directory and did a distributed push and it was succesful.

One more question after i redistribute the bundle which has config changes do i need a reboot for both indexers/peers or no ?

0 Karma

sbbadri
Motivator

No need. Redistribute command itself will take care of restart splunk service for config changes. Don't want to do it manually.

0 Karma

hrithiktej
Communicator

oh ok great thank you.

0 Karma

lfedak_splunk
Splunk Employee
Splunk Employee

Hey @krithiktej, if @sbbadri solved your problem, please don't forget to accept an answer! You can upvote posts as well. (Karma points will be awarded for either action.) Happy Splunking!

0 Karma

sbbadri
Motivator

@hrithiktej,

Problem is cluster master always have reference to all the apps available in the Indexer cluster. If you remove apps from cluster peers i.e., slave-apps. App will be reloaded again from CM's master-apps.

Please follow below steps in cluster master to resolve your issue.

1) Delete the apps which you don't want from $SPLUNK_HOME/etc/master-apps
2) Execute this command $SPLUNK_HOME/bin/splunk apply custer-bundle

Validation: Once you execute above command. login to any one of the peers. Apps should not be available.

3) Modify/place new app under $SPLUNK_HOME/etc/master-apps
4) Execute this command $SPLUNK_HOME/bin/splunk apply custer-bundle

For more details, check below link,
https://docs.splunk.com/Documentation/Splunk/6.6.3/Indexer/Manageappdeployment

I hope this helps you

0 Karma

hrithiktej
Communicator

Thank you i will try this and update you tomo. I have uploaded the unwanted app into master-apps and in slave-apps tomo i will delete the app from cluster master and then try distributing the bundl again.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...