product
- Why choose Splunk
- Installation record
- price
- Splunk Enterprise Security
- Splunk Phantom (SOAR)
- Splunk ITSI (Next Generation IT Operations)
- Splunk Observability Cloud
- Splunk UBA
- Macnica CSIRT App Basic
- App for Splunk for Financial Institutions
- Splunk Analytics for Hadoop
- About Apps
- Splunk Edge Hub
- What is Splunk
service
- Dashboard/SPL Creation Pack [Implementation/Building Support]
- Version upgrade service [implementation and construction support]
- Smart Security Monitoring App [Original App/Service]
- Splunk × LANSCOPE Original App [Original App/Service]
- Security Monitoring App for Box [Original App/Service]
- Cloud Security Monitoring App [Original App/Service]
- List of services
- Macnica Premium Support for Splunk (utilization support, version upgrade monitoring)
Specifications/Technical Information
Application for evaluation machine
- FAQ
How to delete an app deployed to a search head cluster
- release date
- 2017-07-05
- last updated
- 2024-03-04
- version
- Splunk Enterprise 9.0.4
- Overview
- If you want to delete an app that has been deployed to a search head cluster, you can use the Deployer to delete it. However, if the app you want to delete is disabled, you cannot delete it. If it is disabled, enable it and then delete it.
- Change log
- 2017/07/05 First Edition
2018/10/11 Corrected typo (Wrong: apps.conf Correct: app.conf)
Updated 2023/3/4
- Reference information
- content
-
If you no longer need an app that was deployed to a search head cluster using the Deployer, you can remove it from the cluster using the following method.
Setup steps
- Delete the app to be deleted from the deployer's $SPLUNK_HOME/etc/shcluster/apps directory.
- Run the following command:
$SPLUNK_HOME/bin/splunk apply shcluster-bundle -target <URI>:<management port> -
auth <管理ユーザー>:<パスワード>
- *Note 1:
-
- target: Specify any cluster member. It will be distributed to all members eventually, so it is fine to specify only one server.
- auth: Deployer's username and password
- The administration port defaults to 8089.
- *Note 2: $SPLUNK_HOME is the installation directory. By default, it is as follows:
-
- $SPLUNK_HOME for default installation
- Linux:Splunk Enterprise : /opt/splunk
- Windows:Splunk Enterprise : C:\Program Files\Splunk
important point
- If the app you want to delete is disabled
If the app you want to delete is disabled in its app.conf as shown below, you will not be able to delete the app from the search head cluster.
[install]
state = disabledIf you want to delete a disabled app, please enable it before deleting it. Follow the steps below:
【procedure】
Change the deployer's $SPLUNK_HOME/etc/shcluster/apps/<App name to be deleted>/local/app.conf as follows:
[install]
state = enabledRun the following command:
$SPLUNK_HOME/bin/splunk apply shcluster-bundle -target <URI>:<管理ポート> -auth <管理ユーザー>:<パスワード>
- Restarting Splunk
When you enable/disable an app, or delete an app, Splunk will restart to reflect the latest settings.
In a search head cluster environment, to avoid downtime, all search heads are not restarted at the same time, but are restarted in sequence at staggered intervals. For this reason, there will be no periods when searches cannot be performed, but we recommend that you perform the work during times when it will have the least impact.
that's all
In charge of Macnica Splunk Co., Ltd.
- TEL:045-476-2010
- E-mail:splunk-sales@macnica.co.jp
Weekdays: 9:00-17:00
