Splunk Search

getting this error while applying distribution bundle

hrithiktej
Communicator

I have some apps that I deleted in slave-apps directory on our indexers and now our master apps on cluster master has these files and i want to push the distribution bundle but gives this error
In handler 'clustermastercontrol': No new bundle will be applied. The master and peers already have this bundle with bundle id = 9BF1726DFB2075A5E9149D2D00E8AE98

0 Karma
1 Solution

sbbadri
Motivator

@hrithiktej,

Problem is cluster master always have reference to all the apps available in the Indexer cluster. If you remove apps from cluster peers i.e., slave-apps. App will be reloaded again from CM's master-apps.

Please follow below steps in cluster master to resolve your issue.

1) Delete the apps which you don't want from $SPLUNK_HOME/etc/master-apps
2) Execute this command $SPLUNK_HOME/bin/splunk apply custer-bundle

Validation: Once you execute above command. login to any one of the peers. Apps should not be available.

3) Modify/place new app under $SPLUNK_HOME/etc/master-apps
4) Execute this command $SPLUNK_HOME/bin/splunk apply custer-bundle

For more details, check below link,
https://docs.splunk.com/Documentation/Splunk/6.6.3/Indexer/Manageappdeployment

I hope this helps you

View solution in original post

0 Karma

hrithiktej
Communicator

@sbbadri thanks this resolved my problem i deleted the unwanted app from master-apps directory and did a distributed push and it was succesful.

One more question after i redistribute the bundle which has config changes do i need a reboot for both indexers/peers or no ?

0 Karma

sbbadri
Motivator

No need. Redistribute command itself will take care of restart splunk service for config changes. Don't want to do it manually.

0 Karma

hrithiktej
Communicator

oh ok great thank you.

0 Karma

lfedak_splunk
Splunk Employee
Splunk Employee

Hey @krithiktej, if @sbbadri solved your problem, please don't forget to accept an answer! You can upvote posts as well. (Karma points will be awarded for either action.) Happy Splunking!

0 Karma

sbbadri
Motivator

@hrithiktej,

Problem is cluster master always have reference to all the apps available in the Indexer cluster. If you remove apps from cluster peers i.e., slave-apps. App will be reloaded again from CM's master-apps.

Please follow below steps in cluster master to resolve your issue.

1) Delete the apps which you don't want from $SPLUNK_HOME/etc/master-apps
2) Execute this command $SPLUNK_HOME/bin/splunk apply custer-bundle

Validation: Once you execute above command. login to any one of the peers. Apps should not be available.

3) Modify/place new app under $SPLUNK_HOME/etc/master-apps
4) Execute this command $SPLUNK_HOME/bin/splunk apply custer-bundle

For more details, check below link,
https://docs.splunk.com/Documentation/Splunk/6.6.3/Indexer/Manageappdeployment

I hope this helps you

0 Karma

hrithiktej
Communicator

Thank you i will try this and update you tomo. I have uploaded the unwanted app into master-apps and in slave-apps tomo i will delete the app from cluster master and then try distributing the bundl again.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...