Getting Data In

Why am I receiving warning about apps and default apps?

domino30
Path Finder

whats this even mean.PNG

 does this affect anything typically?

I ask this because I have apps that I downloaded from splunkbase and put into /opt/splunk/etc/shcluster/apps and rand the command recomened but thoses apps arent showing up in apps on any of my SHs in my cluster

Labels (2)
0 Karma

yeahnah
Motivator

Hi @domino30 

It's due to at least one app you are looking to deploy from the SHC deployer already being part of the Splunk enterprise base package set.  In our experience, it was due to the Splunk upgrade readiness app (python_upgrade_readiness_app) which is now part of the default base Splunk install.

You can check the default base package apps on your search head by looking at its manifest file, e.g. 

[splunk@myhost ~]$ awk -F'/' '/etc\/apps\/\w+ \-/{print $0}' $SPLUNK_HOME/splunk-*-manifest
d 755 splunk splunk splunk/etc/apps/SplunkForwarder -
d 755 splunk splunk splunk/etc/apps/SplunkLightForwarder -
d 755 splunk splunk splunk/etc/apps/alert_logevent -
d 755 splunk splunk splunk/etc/apps/alert_webhook -
d 755 splunk splunk splunk/etc/apps/appsbrowser -
d 755 splunk splunk splunk/etc/apps/introspection_generator_addon -
d 755 splunk splunk splunk/etc/apps/journald_input -
d 755 splunk splunk splunk/etc/apps/launcher -
d 755 splunk splunk splunk/etc/apps/learned -
d 755 splunk splunk splunk/etc/apps/legacy -
d 755 splunk splunk splunk/etc/apps/python_upgrade_readiness_app -
d 755 splunk splunk splunk/etc/apps/sample_app -
d 755 splunk splunk splunk/etc/apps/search -
d 755 splunk splunk splunk/etc/apps/splunk_archiver -
d 755 splunk splunk splunk/etc/apps/splunk_essentials_8_2 -
d 755 splunk splunk splunk/etc/apps/splunk_gdi -
d 755 splunk splunk splunk/etc/apps/splunk_httpinput -
d 755 splunk splunk splunk/etc/apps/splunk_instrumentation -
d 755 splunk splunk splunk/etc/apps/splunk_internal_metrics -
d 755 splunk splunk splunk/etc/apps/splunk_metrics_workspace -
d 755 splunk splunk splunk/etc/apps/splunk_monitoring_console -
d 755 splunk splunk splunk/etc/apps/splunk_rapid_diag -
d 755 splunk splunk splunk/etc/apps/splunk_secure_gateway -

Compare it to the apps you are looking to deploy from the SHC deployer.

Options:
1. If you want to upgrade a Splunk default app then that is OK, but you'll need to use the recommended  -push-default-apps true parameter.  A symptom of doing this is that after a Splunk SHC member restarts a warning message about the manifest no longer matching is written, which makes sense when you think about it.  We just ignore it.

yeahnah_0-1679353716908.png

2. The other option is not to upgrade the default install app and remove it from the SHC deployer.

Hope that helps

 

 

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...