Setup steps

• Delete the app to be deleted from the deployer's $SPLUNK_HOME/etc/shcluster/apps directory.
• Run the following command:

$SPLUNK_HOME/bin/splunk apply shcluster-bundle -target <URI>:<management port> -

auth <管理ユーザー>:<パスワード>

• *Note 1:
• 1. target: Specify any cluster member. It will be distributed to all members eventually, so it is fine to specify only one server.
  2. auth: Deployer's username and password
  3. The administration port defaults to 8089.

• *Note 2: $SPLUNK_HOME is the installation directory. By default, it is as follows:
• 1. $SPLUNK_HOME for default installation
  2. Linux：Splunk Enterprise : /opt/splunk
  3. Windows：Splunk Enterprise : C:\Program Files\Splunk

important point

• If the app you want to delete is disabled

If the app you want to delete is disabled in its app.conf as shown below, you will not be able to delete the app from the search head cluster.

[install]
state = disabled

If you want to delete a disabled app, please enable it before deleting it. Follow the steps below:

【procedure】

Change the deployer's $SPLUNK_HOME/etc/shcluster/apps/＜App name to be deleted＞/local/app.conf as follows:

[install]
state = enabled

Run the following command:

$SPLUNK_HOME/bin/splunk apply shcluster-bundle -target <URI>:<管理ポート> -auth <管理ユーザー>:<パスワード>

• Restarting Splunk

When you enable/disable an app, or delete an app, Splunk will restart to reflect the latest settings.

In a search head cluster environment, to avoid downtime, all search heads are not restarted at the same time, but are restarted in sequence at staggered intervals. For this reason, there will be no periods when searches cannot be performed, but we recommend that you perform the work during times when it will have the least impact.